OWASP TOP 10 / A08:2021

Software and Data Integrity Failures

Code and infrastructure that fail to protect against integrity violations — unsigned updates, insecure deserialization, and CI/CD compromise.

This category covers trusting code or data without verifying its integrity: auto-updates without signature checks, insecure deserialization, and compromised build pipelines (supply-chain attacks like SolarWinds).

If you trust input you didn’t verify, an attacker can substitute malicious code or data.

How to prevent it

Verify digital signatures, use trusted repositories, secure the CI/CD pipeline, and never deserialize untrusted data.

Mapped weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data CWE-829 CWE-494 CWE-345

Free tools to test for it

Hash Generator → Hash Reputation →

Related terms

Supply-Chain Attack Backdoor

Part of the OWASP Top 10 reference. See also the CWE weaknesses and Web Security hub.