Podcast Summary: Hacking Humans Episode: OWASP Software and Data Integrity Failures (noun) [Word Notes]
Host/Author: N2K Networks
Release Date: June 10, 2025

Introduction

In this episode of Hacking Humans, hosted by N2K Networks, the focus centers on OWASP Software and Data Integrity Failures—a critical topic in the realm of cybersecurity. The discussion delves into the intricacies of software and data integrity, exemplified by high-profile cyber attacks, and explores robust mitigation strategies recommended by OWASP (Open Web Application Security Project).

Understanding OWASP Software and Data Integrity Failures

Speaker B begins by unpacking the acronym OWASP, breaking it down as follows:

• O: Open
• W: Web
• A: Application
• S: Security
• P: Project

He further explains that Software refers to the instructions that tell a computer what to do, while Data pertains to information stored on a computer. Integrity Failures involve support structures that are supposed to be reliable but turn out to be compromised due to faulty code and inadequate protection against unauthorized changes.

Notable Quote:

"Software and data integrity failures happen when an application relies upon plugins, libraries, or modules from untrusted resources, repositories, and content delivery networks."
— Speaker B [01:30]

Historical Context and OWASP's Evolution:

• David Wickers and Jeff Williams of Aspect Security first highlighted top software security coding issues in 2003, which later evolved into the OWASP Top 10—a definitive guide outlining the most critical security concerns for web applications.
• As of 2021, OWASP introduced a new category: Software and Data Integrity Failures, positioned at number 8 on the list.
• Andrew van der Stock, OWASP Foundation Executive Director and Top 10 Project Leader, oversees the international team of security professionals driving these initiatives.

The SolarWinds APT29 (Nobelium) Attack: A Case Study

OWASP experts cite the 2020 SolarWinds compromise as a quintessential example of software and data integrity failure. In this incident:

• APT29, also known as Nobelium, infiltrated the SolarWinds network.
• The attackers accessed the company's code repository and embedded a Remote Access Trojan (RAT) into the SolarWinds Orion product, a widely used network management system.
• Approximately 18,000 customers inadvertently downloaded the tainted update, propagating the RAT across numerous systems.

Notable Quote:

"The main idea is to protect code and data sources from unauthorized and undetected change."
— Speaker B [03:45]

OWASP’s Mitigation Strategies

To counteract such sophisticated supply chain attacks, OWASP recommends the following five mitigation tactics:

1. Code Signing:

   • Sign all internally developed software.
   • Ensure that commercial and open-source software undergoes the same process.

2. Trusted Repositories:

   • Use only code libraries from verified and trusted sources.

3. Vulnerability Scanning:

   • Regularly scan both internally developed and open-source software for known vulnerabilities.

4. Review Processes:

   • Establish stringent review procedures for any code and configuration changes.

5. Segregation and Access Controls:

   • Enforce strict segregation, configuration, and access controls within your continuous integration and continuous deployment (CI/CD) pipeline.

Notable Quote:

"None of these mitigation strategies, if implemented by any of the 18,000 SolarWinds customers, would have protected them from the APT29 attack."
— Speaker B [04:30]

Despite the robust recommendations, the SolarWinds attack underscores the challenges of supply chain security, highlighting the importance of a zero trust strategy that minimizes permissions and access privileges related to critical products like Orion.

SolarWinds’ Response: Insights from Tim Brown

A pivotal segment features Tim Brown, SolarWinds' Chief Information Security Officer (CISO), detailing the immediate response following the APT29 attack notification. Recorded during an interview hosted by MJ Shore of CompTIA ISAO in November 2021, Tim Brown recounts the urgent measures taken in the critical first 24 hours.

Key Points from Tim Brown:

• Immediate Notification and Coordination:

  • On December 12th, a Saturday, SolarWinds was alerted by Kevin Mandia about the compromised code.
  • Rapid communication ensued with the CTO of FireEye, another target of the attack.

• Assembling the Response Team:

  • A diverse team, including legal counsel from Piper and forensic experts, was mobilized swiftly.
  • Collaboration with CrowdStrike facilitated a comprehensive investigation.

• Establishing a War Room:

  • By Sunday morning, a dedicated war room was operational, strategizing the response.
  • As a public company, prompt disclosure was imperative, necessitating the filing of a 10-K report.

Notable Quote:

"This was all on Saturday, as we're going through stuff first on the phone. Sunday morning we were all in the office and started in a war room just working through all of the details because as a public company on Monday morning or Sunday night, we needed to get information out to essentially the street."
— Tim Brown [05:45]

Tim emphasizes the unprecedented speed and coordination required to manage the fallout from the attack, illustrating the high-stakes environment of responding to a major security breach.

Conclusion

This episode of Hacking Humans provides a comprehensive examination of OWASP's Software and Data Integrity Failures, using the SolarWinds APT29 attack as a case study to highlight vulnerabilities in the software supply chain. By outlining OWASP’s mitigation strategies and featuring firsthand insights from SolarWinds' CISO, the podcast underscores the critical importance of robust security practices and proactive defense mechanisms in safeguarding against sophisticated cyber threats.

For organizations building their own software, OWASP’s guidelines serve as essential practices to prevent unauthorized and undetected changes, thereby enhancing the integrity and security of their applications and data.

This summary was crafted to encapsulate the key discussions and insights from the podcast episode, providing a detailed overview for those who have not listened to the original content.