Eliminating Race Conditions in APIs through Synchronized Code Execution
Eliminating Race Conditions in APIs through Synchronized Code Execution
July 4, 2025
CVE-2025-32433: Pre-Authentication Remote Code Execution in Erlang SSH
CVE-2025-32433: Pre-Authentication Remote Code Execution in Erlang SSH
July 9, 2025

July 4, 2025

Understanding OWASP A08 : Software And Data Integrity Failures

Software and data integrity failures happen when someone makes unauthorized changes to software, code, or data often because updates were not secure, important checks were missing, or known flaws were never fixed.

The SolarWinds breach is a well-known example of a software and data integrity failure, where attackers infiltrated the CI/CD pipeline and inserted malicious code into a routine Orion update. As per a report in ZDNET, they pushed the update to over 18,000 SolarWinds customers, including some US federal agencies and major corporations. It shows how common and costly these failures can be.

In this blog, we’ll look at what causes software and data integrity failures, what kind of risks they create, and how you can protect your systems from them.

This isn’t just a one-off problem. Software and data integrity failures are listed in the OWASP Top 10 for a reason. For a more holistic look at the  common security risks facing web apps today, check out our guide on top 10 OWASP security risks.

Understanding Software and Data Integrity Failures

Software and data integrity failures arise from vulnerabilities, such as insecure updates, code tampering, or insufficient validation of data inputs. When integrity is compromised, systems may behave unpredictably. Such failures manifest in various ways.

For instance, an attacker might exploit a weak update mechanism to inject malicious code into a software update. This happened in the SolarWinds breach. Similarly, insufficient input validation in web applications can allow attackers to inject malicious scripts (e.g., SQL injection), altering or stealing data. 

Ransomware attacks are another example, where attackers encrypt critical data, rendering it unusable until a ransom is paid.

Causes of Software Data And Integrity Failure

Lack of proper version control

Improper handling of version control can create a mess. Things can go wrong faster than expected. Bugs can sneak in codes and sometimes outdated code even makes it to production. 

And when such things happen, rolling back to a stable version becomes a headache. Therefore, it requires a solid process oriented system to track changes, manage code updates, and keep everyone on the same page.

Weak CI/CD pipeline security

CI/CD pipelines help release software fast, but if not properly secured, they become prime targets for attackers. Hackers can inject malicious code during the code deployment process. To avoid such incidents, CI/CD pipelines need tight security, Implement strong authentication, strict access controls, and regular checkups. Without these, the whole delivery process becomes a liability.

Ignoring third-party library risks

Relying on third-party libraries and tools without proper verification is  like inviting a stranger into your house without asking questions. Components from untrusted repositories can have hidden vulnerabilities that can create openings for attackers. 

Developers need to be careful about what they use, thoroughly vetting third-party code to make sure it’s safe. 

Skipping code signing

Code signing tells you the software is legit and hasn’t been tampered with. Without proper code signing, you could end up running malicious software thinking it’s a legitimate update. 

Flawed update systems

Automatic updates are convenient, but if they’re not done right, they can cause security issues. When tech teams push updates without proper checks, there’s a risk of installing corrupted or malicious files.

This can turn a routine update into a major security incident. To avoid this, update mechanisms need to include integrity checks and keep users in the loop. Addressing these issues head-on is key to building and maintaining secure, reliable systems.

Mapped CWE And Associated Risks

CWE-345: Insufficient Verification of Data Authenticity

This CWE-345 describes a scenario where software does not sufficiently verify the origin or authenticity of data. Insufficient verification of data authenticity can allow attackers to inject malicious data, potentially altering the software security environment. Exploitation could range from denial of service to changing the code that the products executed.

For instance,  multiple operational technology (OT) vendors did not sign firmware images, which made them vulnerable. In one case, a vulnerability in the data server allowed the renaming of files in the IGSS project report directory, resulting in Denial of Service (DoS).

CWE-353: Missing Support for Integrity Check

CWE-353 addresses the absence of integrity checks in software. Without these checks, ensuring data integrity is difficult. The lack of integrity checks enables undetected data modification.

 Attackers can tamper data-in-transit or data-at-rest without being detected, potentially compromising systems. 

CWE-426: Untrusted Search Path

CWE-426 vulnerability occurs when software uses an untrusted search path to load libraries or modules. As a result, attackers can control the search path and inject malicious code. By merely placing a malicious library in a directory, an attacker can trick the software into loading and executing their code, leading to arbitrary code execution.

CWE-494: Download of Code Without Integrity Check

This CWE refers to the practice of downloading code without verifying its integrity. It poses a significant risk of executing malicious code. If software downloads and code execution take place without checking its authenticity or integrity, there is a danger that attackers can replace the legitimate code with the malicious code. 

Real World Examples of Software And Data Integrity Failures

Example #1: The 3CX breach (2023)

3CX Desktop App is popularly used in business communication, such as chat, voice, and video calls. In March 2023, attackers managed to compromise its software through a supply chain attack. They secretly modified the official version of the app by including malware, available for download from 3CX’s own website. 

The infected version had hidden code that triggered a program called SUDDENICON. This program acted like a downloader. It reached out to GitHub, a code-sharing platform, and pulled encrypted icon files. 

But these icon files contained hidden server addresses. It was designed to steal data from web browsers, such as saved credentials, browsing history, or autofill details.

Example #2: Codecov breach (2021)

The Codecov breach highlights a software and data integrity failure, where attackers exploited a flaw in Codecov’s Docker image process to modify a Bash script and steal credentials. 

The modified script silently collected sensitive information, such as credentials, tokens, and personally identifiable information (PII), from users’ CI/CD environments and sent it to a third-party server controlled by the attackers. 

Since Codecov was used by thousands of organizations, the breach had a wide-reaching impact, including potential access to internal systems and source code. This incident underscores the risks of relying on third-party tools in software development pipelines without validation.

Best Practices for Prevention of Software Data And Integrity Failure

Verify with digital signatures

    • Always use private keys to create unique code signatures.
    • Allow users to verify with public keys for authenticity.
    • Ensure software remains untampered and malware-free.

    Use trusted repositories

      •  Download software only from verified sources.
      •  Avoid unverified or third-party repositories.
      •  Regularly audit and update repository contents. 

      Leverage supply chain security tools

        • Monitor and assess third-party dependencies.
        • Automate vulnerability scanning for early detection.
        • Ensure only secure components are used in development.

        Review code and config changes

          • Conduct regular code reviews to catch vulnerabilities.
          • Scrutinize configuration changes for compliance.
          • Maintain detailed records for accountability.

          Secure your CI/CD pipeline

            • Implement strict access controls and secure credentials.
            • Regularly audit pipeline configurations.
            • Prevent unauthorized changes to builds or deployments.

            Protect serialized data

              • Encrypt serialized data during storage and transmission.
              • Validate and sanitize data during deserialization.
              • Prevent attacks like injection or remote code execution.

              Conclusion

              Software and data integrity failures, such as the Equifax disaster or SolarWinds hack show how fast things can spiral out of control when security takes a backseat. Fixing it is not simple. Skip this, and you’re inviting trouble. Weak updates, patchy codes, missing updates can cost millions and hurt reputations. Get in touch with SecureLayer7 to know how our experts can help you deal with the challenges.

              Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

              Subscribe now to keep reading and get access to the full archive.

              Continue reading