OWASP_TOP10A08:2021voice-validated
OWASP_TOP10 A08: A08:2021
OWASP_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Failures related to code and infrastructure that do not protect against integrity violations. Application that relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks; an insecure CI/CD pipeline that can introduce the potential for unauthorised access, malicious code, or system compromise; applications that include auto-update without integrity verification.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1195.002 | 90% confidence: This technique involves compromising software supply chains, directly aligning with the control's mention of untrusted sources, repositories, and insecure CI/CD pipelines. Attackers inject malicious code into legitimate software components. | 90% |
| T1195.001 | 80% confidence: Compromising developer tools or environments, often part of an insecure CI/CD pipeline, can lead to integrity violations in the final product. This enables malicious code introduction. | 80% |
| T1059 | 85% confidence: Malicious code introduced through integrity violations often relies on command and scripting interpreters for execution. This is a common method for system compromise. | 85% |
| T1204.002 | 80% confidence: Users executing malicious files, potentially downloaded from untrusted sources or delivered via a compromised update mechanism, directly leads to system compromise and integrity breaches. | 80% |
| T1547.001 | 75% confidence: Malicious code, once introduced via an integrity violation, often establishes persistence through boot or logon autostart mechanisms. This ensures continued unauthorized access. | 75% |
| T1055 | 70% confidence: Process injection allows malicious code to run within legitimate processes, evading detection and maintaining persistence. This is a common post-exploitation technique following an integrity breach. | 70% |
| T1027 | 70% confidence: Attackers obfuscate malicious code introduced through integrity violations to evade detection by security tools. This is a defense evasion tactic. | 70% |
| T1562.001 | 80% confidence: Tampering with security tools or configurations is a direct integrity violation. Attackers disable or modify defenses to facilitate further malicious activity. | 80% |
| T1003 | 65% confidence: Once system integrity is compromised, attackers often attempt to dump credentials from the operating system. This provides further access for lateral movement. | 65% |
| T1082 | 60% confidence: After gaining initial access through an integrity violation, attackers perform system information discovery to understand the environment and plan subsequent actions. | 60% |
| T1021 | 60% confidence: Compromised systems, resulting from integrity failures, are used by attackers to access remote services and move laterally within the network. This expands the breach. | 60% |
| T1005 | 65% confidence: Attackers collect data from local systems after compromising integrity. This is a common objective following unauthorized access. | 65% |
| T1041 | 65% confidence: Exfiltration of collected data often occurs over command and control channels. This is the final stage of data theft after an integrity breach. | 65% |
| T1485 | 85% confidence: Data destruction is a direct impact of integrity violations. Malicious code can be designed to corrupt or delete critical data, causing significant operational disruption. | 85% |
| T1490 | 80% confidence: Attackers inhibit system recovery by tampering with backups or recovery mechanisms. This is a severe integrity violation, preventing restoration after an attack. | 80% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1051 | 95% confidence: Implementing robust supply chain security measures directly addresses the risk of untrusted sources, repositories, and insecure CI/CD pipelines, preventing integrity violations at the source. | 95% |
| M1038 | 90% confidence: Verifying the integrity of software updates and components ensures that auto-update mechanisms do not introduce malicious code. This directly counters 'auto-update without integrity verification'. | 90% |
| M1047 | 85% confidence: Comprehensive auditing and logging detect unauthorized changes and integrity violations in code, infrastructure, and CI/CD pipelines. This enables timely incident response. | 85% |
| M1050 | 80% confidence: Regular vulnerability scanning of third-party components, libraries, and CI/CD tools identifies weaknesses that could lead to integrity breaches. This proactive measure reduces risk. | 80% |
| M1018 | 75% confidence: Implementing strict user account management and least privilege principles limits the ability of unauthorized users or compromised accounts to introduce integrity violations. | 75% |
| M1030 | 70% confidence: Network segmentation limits the blast radius of a compromised component. If one part of the system suffers an integrity breach, its impact is contained. | 70% |
| M1040 | 70% confidence: Regular and verified data backups mitigate the impact of data destruction or tampering resulting from integrity violations. This ensures recovery capability. | 70% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-494 | 95% confidence: This weakness directly describes the failure to perform integrity checks on downloaded code, such as in auto-update mechanisms or when fetching libraries from untrusted sources. | 95% |
| CWE-913 | 90% confidence: Improper control over dynamically-managed code resources, like plugins or libraries, allows the inclusion of untrusted or malicious components, leading to integrity violations. | 90% |
| CWE-94 | 85% confidence: Code injection vulnerabilities enable attackers to introduce malicious code into an application, directly compromising its integrity and leading to unauthorized execution. | 85% |
| CWE-347 | 90% confidence: The absence or improper verification of cryptographic signatures on software components, updates, or configuration files directly leads to integrity failures. | 90% |
| CWE-353 | 90% confidence: A missing or inadequate integrity check mechanism for critical data, code, or configurations is a fundamental weakness addressed by this OWASP control. | 90% |
| CWE-1105 | 80% confidence: An incomplete list of allowed resources permits the inclusion of unauthorized or malicious components, such as untrusted plugins or libraries, compromising system integrity. | 80% |
| CWE-20 | 75% confidence: Improper input validation is a foundational weakness that can lead to various integrity issues, including code injection, command injection, and other forms of data tampering. | 75% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0185 compute · voice-rubric self-validated