A08 - 2021: Software and Data Integrity Failures

Introduction

This vulnerability makes an entrance in the top 10 in the year 2021. The category itself focusses on everything related to insecure CI/CD pipelines, software updates and critical data. It's all about how these processes might use resources without verifying the integrity.

What is it?

We need to divide this issue category further into 3 big sections to properly understand what it's about. This will help us see how there can be different manifestations of this issue type and how we should be weary of using any unverified resource.

Software updates

First of all we need to talk about software updates and we can be brief about this one. Whenever software updates, it should verify the integrity of the resource it is using. Failure to do so might lead to attackers slipping in unapproved resources with their own malicious code embedded into it. This can manifest in a range of different ways such as software auto updating without verifying the integrity but it might also come from attackers targeting security updates specifically as they know those are most often pushed onto systems.

Serialised input

Another section we have to look at is the ingestion of user controllable input into a serialised object. Developers often rely on what they think are safe algorithms to deserialise an object but if the object can be user controllable and the integrity is not checked, an attacker might just as well be able to control the object in unexpected ways.

How can we prevent it?