Includes vulnerabilities related to software updates and CI/CD pipelines without verifying their integrity.
Software and data integrity vulnerabilities can affect both software and infrastructure. An example is when an application relies on plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs).
An insecure CI/CD pipeline can potentially lead to unauthorized access, malicious code injection, or system compromise.
| OWASP Top 10 Application Security Risks - 2021 | Reference |
|---|---|
| A08:2021 – Software and Data Integrity Failures | OWASP |
Many applications include automatic update features, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and executed on all installations.Francesco Ongaro
