Software Integrity Failures: OWASP Top 10 (2026)
Written by Rafter Team
February 1, 2026
Estimated reading time: ~9 minutes
The Problem
In 2018, the popular NPM package event-stream was compromised. Millions of apps unknowingly ran malicious code.
This incident highlighted the critical importance of software integrity — ensuring that the code you're running is exactly what you think it is. This is why Software and Data Integrity Failures is a key category in the OWASP Top 10.
What It Is
Trusting unverified code, data, or updates. This includes:
- Supply Chain Compromises: Malicious packages in public repositories
- Code Integrity Issues: Unverified or tampered software
- Data Integrity Problems: Unverified data sources or modifications
- Update Mechanisms: Insecure software update processes
Types of Integrity Failures
- Package Integrity: Compromised dependencies or libraries
- Code Signing: Missing or invalid code signatures
- Data Integrity: Unverified data sources or tampering
- Update Integrity: Insecure software update mechanisms
Examples
1. Malicious Packages in npm/PyPI
Problem: Attackers publish packages with similar names to legitimate ones
Impact: Malicious code execution in applications
Example: crossenv vs cross-env (typosquatting)
Related: This is closely tied to Vulnerable and Outdated Components — malicious packages often exploit known vulnerabilities.
2. Compromised CI/CD Pipelines
Problem: Build systems compromised to inject malicious code Impact: Malicious code deployed to production Example: SolarWinds (2020) - malicious code injected into legitimate updates
Related: This highlights the importance of Security Logging and Monitoring Failures — compromised pipelines should be detected through monitoring.
3. Unsigned Software Updates
Problem: Software updates without cryptographic verification Impact: Man-in-the-middle attacks during updates Example: Downloading updates over HTTP instead of HTTPS
4. Data Tampering
Problem: Unverified data sources or lack of integrity checks Impact: Corrupted or malicious data processing Example: Configuration files modified without verification
5. Dependency Confusion
Problem: Private packages replaced with malicious public versions Impact: Malicious code execution in private environments Example: Attackers publishing malicious versions of private package names
Why It Matters
Supply Chain Attacks Are Rising
- High Impact: Compromise one package, affect thousands of applications
- Stealth: Malicious code can run undetected for long periods
- Trust Exploitation: Leveraging trust in legitimate software sources
- Automated Distribution: Malicious code spreads automatically through dependencies
Business Impact
- Data Breaches: Malicious code can steal sensitive information
- System Compromise: Full control over affected systems
- Reputation Damage: Loss of trust in software supply chain
- Compliance Violations: May violate security frameworks and standards
How to Prevent It
1. Code Signing
# Example: Signing a package
gpg --armor --detach-sign package.tar.gz
gpg --verify package.tar.gz.asc package.tar.gz
# Example: Verify npm package signatures
npm audit signatures
2. Verify Dependencies
// Example: Package integrity verification
const crypto = require('crypto');
const fs = require('fs');
function verifyPackageIntegrity(packagePath, expectedHash) {
const fileBuffer = fs.readFileSync(packagePath);
const hashSum = crypto.createHash('sha256');
hashSum.update(fileBuffer);
const actualHash = hashSum.digest('hex');
return actualHash === expectedHash;
}
3. Protect CI/CD Pipelines
# Example: Secure CI/CD configuration
name: Secure Build
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Verify commit signatures
run: |
git log --show-signature -1
- name: Run security scan
uses: rafter/security-scan@v1
4. Use Tools Like Sigstore
# Example: Using Sigstore for code signing
cosign sign --key cosign.key image:latest
cosign verify --key cosign.pub image:latest
5. Implement Package Verification
// Example: package.json with integrity checks
{
"name": "my-app",
"dependencies": {
"lodash": {
"version": "4.17.21",
"integrity": "sha512-..."
}
}
}
6. Secure Update Mechanisms
// Example: Secure update verification
const crypto = require('crypto');
async function verifyUpdate(updateFile, signature, publicKey) {
const fileHash = crypto.createHash('sha256')
.update(await fs.readFile(updateFile))
.digest('hex');
const isValid = crypto.verify(
'sha256',
Buffer.from(fileHash, 'hex'),
publicKey,
Buffer.from(signature, 'hex')
);
return isValid;
}
7. Monitor for Anomalies
- Behavioral Analysis: Monitor for unusual package behavior
- Network Monitoring: Detect unexpected network connections
- File System Monitoring: Watch for unauthorized file modifications
- Process Monitoring: Track unexpected process execution
Tools
- Sigstore: Free code signing and verification
- Cosign: Container and artifact signing
- npm audit: Package vulnerability scanning
- Rafter: Comprehensive security scanning
- SLSA: Supply-chain Levels for Software Artifacts framework
- in-toto: Framework for securing software supply chains
Conclusion
Protect your supply chain to protect your users. Implement code signing, verify dependencies, secure CI/CD pipelines, and monitor for integrity violations.
Next Steps:
- Implement code signing for your applications
- Secure your CI/CD pipelines
- Monitor for supply chain anomalies
- Run a Rafter scan to identify potential integrity issues in your software supply chain