Day 12: OWASP Top 10 2021 – #8 Software and Data Integrity Failures

Posted on by

Making assumptions about software updates, crucial data, and CI/CD pipelines without validating integrity was the focus of a new category in the 2021 OWASP Top 10 called Software and Data Integrity Failures.  Insecure Deserialization is now categorized under this heading.

Failures in the infrastructure and code that prevent integrity violations are referred to as software and data integrity failures. A program that uses plugins, libraries, or modules from questionable sources, archives, or content delivery networks is an illustration of this (CDNs). Users may be in danger of unwanted access, malicious software, or system compromise in an unprotected CI/CD pipeline. Last but not least, many programs today have auto-update options that let updates be downloaded and applied to previously trusted programs without the requirement for integrity checks.

Attackers might conceivably spread and launch their improvements over all platforms using this functionality.

What is Insecure Deserialization?

When user-controllable data is deserialized by a website, this is known as insecure deserialization. This could give an attacker the ability to alter serialized objects and inject malicious data into the application code.

What is CI/CD or CICD?

This refers to the combined processes of continuous integration, continuous delivery, and continuous deployment known as CI/CD or CICD in the field of software engineering. By mandating automation in the creation, testing, and deployment of applications, CI/CD fills the gaps between development and operation activities and teams.

Impact of Software and Data Integrity Failures

Some possible consequences that can occur if there’s software and data integrity failure are as follows:

  • Insertion of malicious code.
  • System compromise
  • Unauthorized information disclosure
Remedy to Software and Data Integrity Failures
  • Make sure the application or data is authentic and hasn’t been tampered with by using digital signatures or other equivalent safeguards.
  • Make sure a review system is in place for code and configuration revisions to lessen the possibility of damaging code or configuration entering your development pipeline.
  • Make sure that your CI/CD pipeline has sufficient segregation, configuration, and access control to safeguard the integrity of the code as it passes through the build and deployment processes.
  • Ensure that serialized data that is not signed or encrypted or that lacks an integrity check or digital signature to detect tampering or replay is not given to unreliable clients.

CWEs List for Software and Data Integrity Failures

References To Get More Understanding of Software and Data Integrity Failures
  • https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/
  • https://portswigger.net/web-security/deserialization
  • https://www.acunetix.com/blog/articles/what-is-insecure-deserialization/

This will be all for the Day 12 post. Hope you enjoyed it, kindly let me know in the comments section. Be sure to check out other blog posts of interest or come back tomorrow for the next day’s post.