Date: Sep 9, 2021, 9:20:15 AM

Date: Sep 30, 2021, 12:41:23 PM

Editor: Cedric

Editor: Cedric

Name: A08:2021 – Software and Data Integrity Failures

Name: A08:2021 – Software and Data Integrity Failures

Description: Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. For example, where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to insecure deserialization. Another form of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. Lastly, many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations.

Description: Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. For example, where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to insecure deserialization. Another form of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. Lastly, many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations.