A newer addition to the OWASP Top 10, software and data integrity failures (no.8) focus on supply chain risks, unverified updates, and tampered data. When applications fail to check the authenticity and integrity of code, configurations, or dependencies, attackers exploit this trust to insert malicious software, hijack pipelines, or deploy unauthorised code.

–

01 – What are software and data integrity failures?

These failures occur when an application does not properly validate the code or data it processes. Common examples include:

• Unverified software updates – Installing updates or dependencies without verifying a digital signature, checksum, or authenticity proof.
• Insecure CI/CD pipelines – Build environments with weak access controls, allowing attackers to inject malicious code during development or deployment.
• Untrusted dependencies – Importing open–source libraries from compromised or unofficial sources, exposing your software to dependency confusion or typosquatting attacks.
• Unsafe deserialisation – Loading untrusted serialised data without validation, which can result in remote code execution (RCE) or privilege escalation.

Why does this matter? Because once tainted software or manipulated data is introduced, it can spread across systems and entire organisations, leading to severe breaches.

–

02 – How is it exploited?

Attackers target the weakest links in software distribution, updates, and automation pipelines to inject malicious code into trusted applications.

• SolarWinds Orion Attack (2020) – Attackers infiltrated the software build process and inserted a backdoor into an update, compromising 18,000+ organisations, including government agencies and Fortune 500 companies.
• Dependency Confusion Attacks (2021) – Researchers demonstrated how malicious versions of internal dependencies could be tricked into replacing trusted code in Microsoft, Apple, and Tesla systems. Attackers use higher version numbers to fool package managers into installing the wrong dependency.
• Codecov CI/CD Breach (2021) – Attackers compromised a supply chain script, allowing them to steal credentials and API keys from development environments, which were later used for wider attacks.

Without integrity verification, attackers don’t need zero-days – they simply infiltrate your supply chain and distribute compromised code through legitimate updates.

–

03 – How do you prevent integrity failures?

Protecting software integrity requires securing updates, pipelines, and dependencies with strong cryptographic validation.

• Verify updates and third–party code – Require digital signatures (Code Signing, GPG, or Sigstore) and verify hashes (SHA–256/SHA–512) before installing software.
• Secure the build & deployment pipeline – Enforce least privilege (MFA, signed commits, access controls) and monitor CI/CD changes with build attestation (e.g. in–toto, Sigstore Rekor).
• Use trusted dependencies – Implement an SBOM, fetch packages only from official sources, and enable automatic vulnerability scanning (e.g. OWASP Dependency–Check, Snyk, Trivy).
• Mitigate unsafe deserialisation – Avoid deserialisation when possible, use strict allow–listing, and sandbox untrusted deserialisation to prevent code execution risks.
• Monitor and audit integrity – Log all software changes, track package installations, and set up real–time alerts for unauthorised modifications in code or CI/CD environments.

–

In summary, treat software integrity as a first–class security concern. Attackers don’t need to break into your network if they can compromise your software supply chain. By enforcing cryptographic verification, securing your build pipeline, and monitoring software dependencies, you prevent supply chain attacks before they happen.