What is A08 Software and Data Integrity Failures?
Code or data is trusted without verifying it wasn't tampered with — an unsigned update, a package from an unvetted source, or a compromised build pipeline silently ships attacker code to all your users.
The defining example is the SolarWinds attack (2020): attackers compromised the build pipeline and injected a backdoor into a signed, legitimate-looking software update, which then auto-installed across thousands of organizations. The root issue wasn't a code bug — it was trusting the supply chain without verifying integrity. The fix is to verify signatures on everything you ingest (updates, dependencies, deserialized data) and to secure the CI/CD pipeline itself, since whoever controls the build controls every customer.
Issues:
- Unverified software packages (no signature verification)
- Ingestion of untrusted data without validation
- Insecure CI/CD configuration (compromised pipeline)
Countermeasures:
- Verify signatures of data and software
- Use trusted repositories only
- Establish review process for code and dependencies
- Check for known vulnerabilities (SCA tools)
- Ensure secure CI/CD pipeline configuration
Go deeper:
OWASP Top 10 — A08: Software and Data Integrity Failures — supply-chain and integrity failures.