Software and Data Integrity Failures – The #8 Web Application Security Risk

Software updates and data transfers are essential to modern applications, but failing to validate their integrity can have catastrophic consequences, as the recently added “Software and Data Integrity Failures” category in the OWASP Top 10 demonstrates. This post explores why this new category matters and the staggering impacts inadequate integrity checks have already caused.

A08:2021 – Software and Data Integrity Failures

Why Software and Data Integrity Matters

When software updates itself or incorporates external code and data, integrity checks validate that the incoming code or data has not been tampered with or corrupted. Without these checks, malicious actors can distribute compromised updates, as in the devastating SolarWinds hack.

This new OWASP category includes failures to verify software updates, CI/CD dependencies, and deserialized data. Though it currently maps to only 10 common weakness enumerations (CWEs), these CWEs appear in approximately 2% of applications tested and have the category’s highest aggregate impact score at 7.94 out of 10. As software supply chain attacks increase, the significance of this category will only grow.

Staggering Impacts

The SolarWinds attack alone impacted 18,000 organizations by distributing compromised software updates. Attributed to Russian hackers Cozy Bear, downstream costs are still accumulating and now average around $12 million per affected organization – 11% of annual revenue.

Another common failure is deserializing untrusted data (CWE-502). When deserialized outside expected use cases, this can enable remote code execution attacks.

Overall, the 10 CWEs in this category were identified in nearly 50,000 tested applications. As software permeates infrastructure and daily life, the potential scale of such attacks will only increase.

Implementing Integrity Checks

Thankfully, OWASP provides useful resources to avoid these failures, including cheat sheets on cryptographic storage and secure DevOps practices.

When incorporating external dependencies in CI/CD pipelines or downloads, hash checks validate the integrity of imported code and data. Enforcing code signatures on software updates can prevent execution of altered binaries.

For deserialized data, integrity checks require an understanding expected data formats and sources. Risk analysis should identify critical serialization points and safeguards against unexpected inputs.

The Bottom Line

Increasing integration of third-party code and frequent updates drive modern software velocity but require thoughtful integrity checks to avoid potentially staggering impacts. By learning from past failures and applying OWASP’s guidance, development teams can release secure, resilient software without compromising speed or efficiency.

Focusing on integrity protections makes applications safer for end-users and businesses alike – a worthwhile investment as software takes a growing role in global systems and infrastructure.

We hope this post helped in learn about OWASP's Top #7 application security risk Software and Data Integrity Failures. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website, thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.