OWASP Top Ten - Software and Data Integrity Failures
This new addition to the 2021 OWASP Top Ten list includes a range of integrity violations for code and infrastructure.
All examples of potential attacks in this article are for demonstration and educational purposes only. They should never be used outside of a lab environment or to harm other computers, users, etc.
What are Software and Data Integrity Failures?
These are all the various integrity failures that can occur in the software development lifecycle.
Some common integrity failures are:
- Insecure Deserialization
- This was a standalone risk in the 2017 Top Ten, but has since been rolled into this more inclusive category for 2021
- Including 3rd party content in your application from sources you don’t control
- Not properly securing your CI/CD pipeline
- Automatically updating software without performing sufficient integrity checks
Possible Ways to Help Prevent Software and Data Integrity Failures
OWASP recommends at least 6 actions you can take to help prevent this security risk:
- Using digitial signatures (or something similar) to verify that software or data has not been altered
- Ensuring libraries and dependencies are using trusted repositories
- Using a software supply chain security tool to verify that components do not contain known vulnerabilities
- Implementing a review process for code and configuration changes to reduce the chance that malicious code or configurations can be introduced
- Ensuring your CI/CD pipeline has proper segregation, configuration, and access control
- Ensuring that unsigned or unencrypted serialized data always has some form of integrity check or digital signature to detect tampering or replay of the serialized data
Sum It Up
Pretty much every piece of technology is built with 3rd party components. We all rely on updates to keep our software secure. Quite often we need to serialize data for transport. But there are risks to these activities. Attacks on software and data integrity is an ever-present and growing threat.
By being aware of the risks to software and data integrity, we can put processes in place, like those listed above, to help reduce the risk of a successful attack.
Check out the resources below to help further your knowledge and keep learning so you can build customized solutions that work for your situation.