After this lesson, you will be able to: Recognize, find, and fix Software and Data Integrity Failures (OWASP A08): trusting code, updates, or data whose integrity was never verified.
Software and Data Integrity Failures is OWASP A08: the app trusts software updates, plugins, CI/CD pipelines, or serialized data without verifying it has not been tampered with. This is the supply-chain category, and it produced some of the most damaging breaches of the decade.
Integrity failures happen when you run or trust something without checking it is authentic and unmodified: auto-updates pulled over an unverified channel, dependencies from a registry with no signature/lockfile, a CI/CD pipeline an attacker can inject into, or insecure deserialization (turning attacker-controlled bytes back into objects that execute code). The common thread: trusting data or code whose integrity was never validated.
Audit the trust boundaries of your code and data.
Trace where code/updates come from: are they signed and verified before execution?
Check the dependency supply chain: lockfiles pinned? integrity hashes checked? registry trusted?
Review the CI/CD pipeline: who can modify it, what secrets it holds, whether build artifacts are signed.
Search for insecure deserialization: any place that deserializes untrusted input (pickle, Java serialization, unsafe YAML).
Look for auto-update or plugin mechanisms that fetch and run code without signature verification.
Verify integrity before you trust; never deserialize untrusted input.
# DEPENDENCIES: pin + verify integrity# - commit lockfiles (package-lock.json, poetry.lock) with integrity hashes# - use signed packages / a trusted internal registry where possible# CI/CD: harden the pipeline# - least-privilege on pipeline secrets; protected branches; signed commits# - sign build artifacts (e.g. Sigstore/cosign) and verify signatures on deploy# DESERIALIZATION: never deserialize untrusted input into code# VULNERABLE (Python)import pickleobj = pickle.loads(user_supplied_bytes) # can execute arbitrary code# FIXED: use a data-only format and validateimport jsonobj = json.loads(user_supplied_bytes) # data, not code; then schema-validate
Pick the best answer.
Sign in and purchase access to unlock this lesson.