This vulnerability makes an entrance in the top 10 in the year 2021. The category itself focusses on everything related to insecure CI/CD pipelines, software updates and critical data. It's all about how these processes might use resources without verifying the integrity.
We need to divide this issue category further into 3 big sections to properly understand what it's about. This will help us see how there can be different manifestations of this issue type and how we should be weary of using any unverified resource.
First of all we need to talk about software updates and we can be brief about this one. Whenever software updates, it should verify the integrity of the resource it is using. Failure to do so might lead to attackers slipping in unapproved resources with their own malicious code embedded into it. This can manifest in a range of different ways such as software auto updating without verifying the integrity but it might also come from attackers targeting security updates specifically as they know those are most often pushed onto systems.
Another section we have to look at is the ingestion of user controllable input into a serialised object. Developers often rely on what they think are safe algorithms to deserialise an object but if the object can be user controllable and the integrity is not checked, an attacker might just as well be able to control the object in unexpected ways.
CWE-345 Insufficient Verification of Data Authenticity
CWE-353 Missing Support for Integrity Check
CWE-494 Download of Code Without Integrity Check
CWE-502 Deserialization of Untrusted Data
CWE-565 Reliance on Cookies without Validation and Integrity Checking
CWE-784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-830 Inclusion of Web Functionality from an Untrusted Source
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes