# Data Integrity Failures (A08:2025) Data integrity failures relate to code and infrastructure that does not protect against integrity violations, including insecure deserialization and unsigned updates. ## Overview Renamed from 'Software and Data Integrity Failures' to 'Data Integrity Failures'. Focus on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. ## How Attackers Exploit This ### Insecure deserialization Untrusted data is deserialized by the application, potentially leading to remote code execution. **Detection signal:** Serialized object patterns in requests, unexpected class instantiation errors ### Unsigned updates Software updates are accepted without verifying their authenticity, allowing malicious updates. **Detection signal:** Update mechanisms that don't verify signatures, unsigned packages accepted ### Data tampering Critical data lacks integrity verification, allowing modification without detection. **Detection signal:** Missing checksums, unsigned tokens, modifiable hidden fields ## How to Prevent - Use digital signatures to verify software or data is from expected source - Ensure libraries and dependencies are from trusted repositories - Use software supply chain security tools to verify components - Ensure CI/CD pipeline has proper segregation and access control - Ensure unsigned or unencrypted serialized data is not sent to untrusted clients - Implement integrity checks for critical data ## CWEs with Detection Rules (2) - **CWE-502**: Deserialization of Untrusted Data (7 rules) [go, javascript, typescript, python] - **CWE-829**: Inclusion of Functionality from Untrusted Control Sphere (4 rules) [go, javascript, typescript, yaml, python] ## Other Mapped CWEs (8) - CWE-345: CWE-345 - CWE-353: CWE-353 - CWE-426: CWE-426 - CWE-494: Download of Code Without Integrity Check - CWE-565: CWE-565 - CWE-784: CWE-784 - CWE-830: CWE-830 - CWE-913: CWE-913 ## Quick Reference - Total CWEs: 10 - With Shoulder rules: 2 - Detection rules: 11 - Critical rules: 3