LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is A08 Software and Data Integrity Failures?

Code or data is trusted without verifying it wasn't tampered with — an unsigned update, a package from an unvetted source, or a compromised build pipeline silently ships attacker code to all your users.

The defining example is the SolarWinds attack (2020): attackers compromised the build pipeline and injected a backdoor into a signed, legitimate-looking software update, which then auto-installed across thousands of organizations. The root issue wasn't a code bug — it was trusting the supply chain without verifying integrity. The fix is to verify signatures on everything you ingest (updates, dependencies, deserialized data) and to secure the CI/CD pipeline itself, since whoever controls the build controls every customer.

Issues:

  • Unverified software packages (no signature verification)
  • Ingestion of untrusted data without validation
  • Insecure CI/CD configuration (compromised pipeline)

Countermeasures:

  • Verify signatures of data and software
  • Use trusted repositories only
  • Establish review process for code and dependencies
  • Check for known vulnerabilities (SCA tools)
  • Ensure secure CI/CD pipeline configuration

Go deeper:

From Quiz: SPRG / OWASP Top 10 | Updated: Jul 05, 2026