Updated
Sep 9, 2021, 9:20:15 AM
Name
A08:2021 – Software and Data Integrity Failures
Description
Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. For example, where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to insecure deserialization. Another form of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. Lastly, many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations.
{}