_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
CS EN DE
Let's talk

OWASP Top 10: Software and Data Integrity Failures

12. 10. 2025 Updated: 24. 03. 2026 1 min read intermediate

The SolarWinds hack showed what happens when an attacker compromises the build pipeline. Integrity failures include insecure CI/CD and dangerous deserialization.

Attack examples

  • SolarWinds: Backdoor in firmware from a compromised build
  • Codecov: Modified CI script exfiltrated env variables
  • ua-parser-js: Compromised npm package

CI/CD protection

GitHub Actions — signed commits

  • uses: actions/checkout@v4
  • name: Verify commit signature run: git verify-commit HEAD || exit 1

Subresource Integrity

Insecure Deserialization

NEVER use pickle on untrusted data

data = pickle.loads(user_input) # RCE!

JSON + validation

from pydantic import BaseModel class UserData(BaseModel): name: str age: int data = UserData.model_validate_json(user_input)

Key Takeaway

Verify integrity of dependencies, build artifacts, and CI/CD pipeline. Sign releases, use SRI.

owaspsecurityintegritysupply chain
Share:

CORE SYSTEMS team

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

All articles

More know-how

OWASP Top 10: Identification and Authentication Failures

Secure authentication — session management, MFA, protection against credential stuffing.

OWASP Top 10: Broken Access Control

A practical guide to the most common web vulnerability — Broken Access Control. Examples, prevention and code.

OWASP Top 10: Security Logging and Monitoring Failures

How to properly log security events and detect attacks.

Supply Chain Security

Software supply chain protection. Signed commits, verified builds, SLSA.