Table of Contents
One of the newest considerations to web application security is software and data integrity failures. While OWASP has been cranking out their Top 10 list since 2003, it wasn’t until the 2021 release that this type of vulnerability made the list.
In the cyber security world whether you’re a small business or large enterprise web application vulnerabilities are always a hot topic of discussion. The list organizes and succinctly displays the most relevant and prevalent web application threats we face today. However, how do these vulnerabilities affect your business? What enables them to be vulnerable and how are they exploited? Most importantly, should you be concerned? .
On the newest version of the OWASP Top 10 list, released in September 2021, is software and data integrity failures, also known as supply chain attacks comes in at number eight. This category is new to the OWASP Top 10 list and details software or data which does not properly check for its original integrity.
Examples of Software and Data Integrity Failures
While implementing updates and securing data is an important aspect of security, it is also crucial to ensure that the software and data maintains its original integrity. Examples of software and data integrity failures include:
- CI/CD (Continuous Integration / Continuous Delivery) pipeline
In this instance, the pipeline which assists with the distribution of updates is infiltrated by a perpetrator who planted malicious code. If the changes from the pipeline were to be implemented without secure data integrity checks, then the malicious code would be propagated. Implementers of this code would believe the updates they are installing are secure; nevertheless, they are assisting the perpetrator with propagating malicious code from a trusted source. A real-world scenario of this example includes the SolarWinds supply chain attack from 2020.
- Insecure disposal
Devices such as retired computers, hard disk drives, and solid-state drives which were not properly wiped may expose sensitive information in an uncontrolled manner and to potentially malicious entities.
- Compromised pre-installed software
Use of software which was secretively designed to perform actions such as collecting and delivering sensitive information to malicious entities. A real-world scenario of this example includes an outsourced company who designed software for a US cellphone manufacturer. The software would then collect and send sensitive data back to the malicious entity.
Common attack techniques
Threat actors use different techniques to exercise software and data integrity failures. Some of the most common techniques include:
- Hijacking updates
Most modern software requires routine updates to address and fix bugs and security issues. These updates are often distributed from centralized servers to customers as part of routine maintenance. Hackers and other bad actors who are able to infiltrate the vendor’s network are then able to insert malware into the updates or alter existing updates to grant the threat actor access and control over the software.
- Undermining code signing
Hackers are able cause software and data integrity failures by hijacking software updates through forged code signing tactics. A threat actor will self-sign certificates, break signing systems, or exploit misconfigured account access controls to impersonate a trusted vendor. They can then leverage this access to insert malicious code.
- Compromising open-source code
Open-source code compromises occur when a threat actor inserts malicious code into publicly available code libraries. An unsuspecting developer will then use these compromised code blocks into their third-party code giving the attacker full access. These types of attacks are commonly paired with “typosquatting” tactics, where a hacker names a code block in a similar way to a popular, safe option. A popular example of this took place in 2018 when researchers discovered 12 malicious Python libraries titled “diango,” “djago,” etc to lure developers looking for the popular “django” library.
Oftentimes these techniques are used in combination with each other.
Preventing software and data integrity failures
Not verifying the integrity of software and data can be detrimental to an organization. In such instances, a malicious actor may have access to sensitive information, resources, and control over the network.
This is where Foresite can help. To test for these types of vulnerabilities Foresite takes the approach of emulating the attacker and attempting to exploit many of the above vulnerabilities to gain a better understanding of the actual security posture of the application.
This penetration testing process begins with information gathering and enumeration to determine which parameters are vulnerable. From here, the consultant will begin exploiting found vulnerabilities with the goal of attaining confidential information, control of an application or network, and security gaps. The consultant will then generate a detailed report of their findings including any vulnerabilities found along with exploitation notes.
If you’re concerned you may be affected by any of these types of vulnerabilities contact us to learn more about how Foresite can help you scan for and remediate software and data integrity failures.
Tristin Zeman is the Digital Marketing Manager at Foresite. For the past 10 years, she has helped organizations of all sizes create and scale marketing programs through digital and traditional marketing channels and efficient marketing operations.