Software or Data Integrity Failures in OWASP Top 10: 2025

Software-or-Data-Integrity-Failures-in-OWASP-Top-10-2025

Software or Data Integrity Failures is ranked as A08 in the OWASP Top 10: 2025. This security risk occurs when an application fails to verify the integrity and authenticity of software, code, updates, or data before using them. If developers blindly trust external components without validation, attackers can introduce malicious code that compromises the entire application.

What are Software or Data Integrity Failures?

Software or Data Integrity Failures occur when applications or development pipelines use software, libraries, plugins, modules, or updates from untrusted sources without verifying their integrity.

This vulnerability is commonly seen when:

  • Software packages are downloaded from unofficial or third-party websites.
  • Libraries or plugins are imported from untrusted repositories.
  • Content Delivery Networks (CDNs) are used without integrity verification.
  • Automatic software updates are installed without validating authenticity.
  • CI/CD pipelines integrate third-party plugins or scripts without integrity checks.

If integrity verification is missing, attackers can replace legitimate software with malicious versions, leading to severe security breaches.

How Attackers Exploit This Vulnerability

Attackers often upload modified or malicious code to public repositories, compromised servers, or fake package sources. When developers unknowingly download and integrate these packages into their applications, the malicious code becomes part of the software.

Similarly, attackers may compromise a Git repository or inject malicious code into a CI/CD pipeline. Once deployed, the infected application can expose sensitive data, execute unauthorized commands, or compromise all users of the application.

Example

Suppose a developer needs a package for a web application. Instead of downloading it from the official source, they obtain it from an unknown third-party website.

The package appears legitimate but contains hidden malicious code. Since no integrity verification is performed, the package is integrated into the application and deployed to production. As a result, attackers gain an entry point into the application, putting both the organization and its users at risk.

Prevention

To reduce the risk of Software or Data Integrity Failures:

  • Always verify the integrity and authenticity of software before using it.
  • Download software, libraries, and plugins only from trusted repositories.
  • Validate software updates before deployment.
  • Review all newly integrated code to detect malicious changes.
  • Perform integrity checks for third-party components used in CI/CD pipelines.
  • Regularly monitor dependencies for security issues and unauthorized modifications.

Commonly Mapped CWEs

  • CWE-345 – Insufficient Verification of Data Authenticity
  • CWE-353 – Missing Support for Integrity Check
  • CWE-426 – Untrusted Search Path
  • CWE-494 – Download of Code Without Integrity Check
  • CWE-502 – Deserialization of Untrusted Data
  • CWE-506 – Embedded Malicious Code
  • CWE-830 – Inclusion of Web Functionality from an Untrusted Source

Software or Data Integrity Failures (A08) highlight the importance of verifying the authenticity and integrity of every software component before it becomes part of an application. Using trusted repositories, validating updates, reviewing code, and securing CI/CD pipelines significantly reduce the risk of introducing malicious code into production environments.

For more information, visit the official OWASP Top 10 project at https://owasp.org/www-project-top-ten/

Related Posts