VC055A08:2021·CWE-353

Missing code signing

About A08:2021Software & Data Integrity

Integrity failures happen when an app trusts data or code it shouldn't — running unsigned updates, deserializing untrusted JSON into native objects, pulling code from a CDN without subresource integrity. The SolarWinds breach was a software-integrity failure on a national scale.

Impact: Insecure deserialization can mean remote code execution: the attacker sends a crafted payload that, when deserialized, instantiates dangerous classes or triggers method calls. Missing subresource integrity means a CDN compromise becomes your compromise.

How to fix it: Don't deserialize untrusted input into native objects — use plain JSON parsing and validate the shape. Add subresource integrity hashes to third-party scripts. Sign software updates and verify signatures before applying. Prefer signed-commits and pinned versions in dependency management.

Common patterns in this category:

  • `JSON.parse` followed by direct property access without schema validation
  • Native deserialization (e.g. node-serialize, pickle) on user input
  • `<script src="https://cdn...">` without `integrity=` attribute
  • Auto-update mechanisms that don't verify package signatures
  • CI/CD pipelines that pull from un-pinned tags

Compliance coverage

Findings from this rule map to the following framework controls:

SOC 2
CC8.1, CC7.3
ISO 27001
A.8.25, A.8.9
OWASP Top 10
A08:2021Software & Data Integrity
CWE
CWE-353

See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.

Scan your code for VC055 and 157 other rules

Free, no signup. Drag and drop a zip or run npx xploitscan scan .

Scan Your Code →

Related rules in A08:2021

← All security rules
VC055: Missing code signing | XploitScan Rules