About
A new category for 2021 focuses on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity.
Description
Software and data integrity failures relate to code and infrastructure that are not adequate to protect against integrity breaches. Using software plug-ins, libraries, or modules from non-trusted sources, repositories, or content delivery networks (CDNs) may result in unauthorized access, malicious code, or compromise of the system by attackers. Examples include unlisted firmware, unprotected update mechanisms, or unreliable deserialization.
Prevention
Prevention from software and data integrity failures is possible by following next tips:
Implementing basic tools such as Static Analysis Security Testing tools (SAST), Dynamic Analysis Security tools (DAST), and Vulnerability Scanners can identify problem areas in the code which need urgent attention.
Using tools such as SAST, DAST, and Vulnerability Scanners earlier in the development pipeline gives developers more time to address critical issues such as insecure deserialization, potential server-side request forgery vulnerabilities, and security misconfiguration.
Software updates should be thoroughly tested by both the development team and the end-user before they are installed on all endpoint systems.
Effective threat modeling gives the development team a better understanding of the potential threats that the software will face and how the adversary will try to steal critical data.
Reference here.
Potential impact
An insecure deployment pipeline can introduce the potential for unauthorized access, malicious code, or system compromise.
Common examples
Example #1: Update without signing
Many home routers, receivers, device firmware and others do not check for updates via signed firmware. Unsigned firmware is a growing target for attackers and is set to get worse. This is a major concern, as there is often no mechanism to correct it, other than fixing it in a future version and waiting for previous versions to become outdated.
Example #2: SolarWinds malicious update
Nation states have been known to attack updating mechanisms, with a recent notable attack being the SolarWinds Orion attack. The company developing the software had secure processes for building and updating integrity. However, they were able to knock them down and the company distributed a highly targeted malicious update to more than 18,000 organisations over several months, of which about 100 were affected. This is one of the most far-reaching and significant violations of this nature in history.
Example #3: Insecure Deseriialization
A react appliaction calls the Spring Boot set of microservices. As functional programmers, they have tried to ensure that their code is immutable. The solution they have come up with is to serialise the user's status and forward back and forth with each request. The attacker notices the signature of the Java object "rO0" (in base64) and uses the Java Serial Killer tool to execute code remotely on the application server.
Reference here.
Cases
The most high-profile example of software and data integrity failuers would be the SolarWinds cyber attack in 2020.
SolarWinds, based in Texas, United States of America, provides a platform called “Onion” which helps numerous companies, many of which are Fortune 500 companies and include government agencies such as the Pentagon, to manage their IT resources.
Hackers managed to hack into the “Onion” and added malicious code which was undetected. As a result, SolarWinds unwittingly sent out updates and patches with the malicious code to its customer base. These compromised updates/patches then created backdoors which the attackers then used to install more malware to spy on the affected companies and government agencies.
Reference here.
____________________________________________________________________________________________
References and more useful information may be found at:
[1] Secpro
[2] OWASP
[3] Horangi
Last updated