Welcome back to our ten-part blog series on the OWASP Top Ten list of 2021. In the eighth instalment, we continue to deliver a high-level overview key threats that organisations face in the digital world. Today’s focus is on Software and Data Integrity Failures.

Understanding Software and Data Integrity Failures

Previously unranked in the OWASP Top Ten List 2017, Software and Data Integrity Failures is a new category that has emerged as a significant concern. These failures occur when software and data are not validated or when software updates are not properly verified. This can lead to unauthorised and potentially malicious alterations, impacting the security of applications and data.

To visualise this, imagine you have a library with a large variety of books. Each book in our library is representative of a piece of software or data. If anyone could come in and replace or alter these books without the proper checks, misinformation could easily spread. These ”books” could be replaced with others that have the same cover, but completely different content!
Similarly, in the digital space, if software updates or data alterations aren’t properly verified, it could lead to compromised systems and data breaches.

Common Risks Associated with Software and Data Integrity Failures

  1. Unverified Software Updates:
    Software updates that are not verified can introduce vulnerabilities or malicious code into the system. Checks should be made that ensure the software you install is what it says it is and is from who it should be from.
  2. Improper or Insecure Disposal:
    Retired devices such as old hard drives or desktop PCs that have been abandoned or disposed of without properly wiping their contents may expose sensitive information to malicious entities.
  3. Supply Chain Attacks:
    Attackers can infiltrate a supply chain, affecting multiple products or services with a single attack. This can have a knock-on effect on the entire supply chain.
  4. Inadequate Code Signing:
    Without proper code signing implementation, distinguishing between legitimate and compromised software becomes difficult.
  5. Lack of Support for Integrity Checks:
    When software does not or cannot verify data integrity, an attack may find it easier to modify or even delete data without being detected.

Strategies to Mitigate Software and Data Integrity Failures

  1. Implement Rigorous Validation Processes:
    Ensure all software and data undergo thorough validation and integrity checks before deployment.
  2. Implement Review Processes:
    Ensure that a review process is implemented for any code or configuration changes. This helps the minimise the chance of malicious sections of code or configurations are introduced into your infrastructure.
  3. Implement Code Signing:
    Utilise code signing to ensure software authenticity and integrity.
  4. Secure the Supply Chain:
    Monitor and audit the security practices of third-party suppliers to reduce the risk of supply chain attacks. This can be achieved with software supply chain security tools.
  5. Regular Security Audits:
    Conduct regular audits of both software and data to ensure integrity and identify potential vulnerabilities.
  6. Educate Stakeholders:
    Raise awareness among developers, users, and suppliers about the importance of software and data integrity.
  7. Continuous Monitoring for Anomalies:
    Implement monitoring systems that can detect unusual activities suggesting integrity breaches.

Final Thoughts

Ensuring software and data integrity is crucial in maintaining secure web applications and systems. Tackling these vulnerabilities likely requires a combination of technical solutions and awareness. The common theme emerging in this series is that cybersecurity is an ongoing process of constant vigilance and swift adaptation, essential for a secure digital ecosystem.

When conducting penetration tests against a client’s web application, the team at CyberWhite follow the OWASP framework closely. This allows us to check applications against the OWASP Top Ten list, including Software and Data Integrity Failures as explored in this blog post.