Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

OWASP A08: Software and data integrity failures

Can someone tamper with your software or data updates without you noticing?

Based on the OWASP Top 10 — 2021 edition. Check owasp.org/Top10 for the current edition.

Background

How modern software updates itself. Auto-updates from untrusted sources or unverified library pulls can be poisoned — the SolarWinds incident was the famous example.

Questions to ask yourself

  • Where do our software updates come from? Are they signed?
  • Are we using third-party libraries without pinning versions?
  • If our deployment pipeline got compromised, would we know?
  • Who has rights to push code to production?

For owners — questions to ask your developer

Questions to ask your developer

Supply chain matters — even if you don't write code.

  • 01“Are third-party libraries pinned to specific versions, or do we auto-pull the latest? Pinned is safer.”
  • 02“Who has the right to push code to production? Is there two-person review on production deploys?”
  • 03“Where do our software updates come from, and how do we verify they haven't been tampered with in transit?”