OWASP #8 (2021) – Software and Data Integrity Failures

This category focuses on trust - specifically, trusting the integrity of software, updates, and data.

Problems arise when: - Apps load code from CDNs or third parties without verifying integrity. - CI/CD pipelines deploy code without signature checks. - Systems auto-update from untrusted or unsigned sources. - Dependency chains include compromised or malicious packages.

A now-famous example is the SolarWinds supply chain attack, where trusted software updates delivered backdoors.

To defend against this: - Use digital signatures for software and artifacts. - Verify the integrity of third-party libraries and update sources. - Secure the CI/CD pipeline and control who can push code. - Treat software supply chains as a potential attack surface.

Assume attackers will try to slip malicious code in through the side door - integrity failures are about preventing that.