OWASP Top 10: Number 09

Using Components with known vulnerabilities

This one is a lot more specific to application or website development; using components with known vulnerabilities refers to libraries, frameworks, software modules and other services which are used to build your application or website.

So why would you use these components if they are vulnerable? A lot of this comes down to lack of due diligence when using these components or a lack of knowledge. This has been found to be more prevalent in open source components, when a vulnerability is then found/released, hackers find the documentation and make use of the exploits on an organisation.

Some of the biggest breaches to date have came from these vulnerabilities, such as the Equifax breach in 2017.

So how can this be avoided? Surely we cant just stop using open source libraries, frameworks or software modules? Ofcourse not!

  • Patch management is important, ensure you know which versions are used in your environment, and upgrade where you can.
  • Remove unused modules and libraries, this reduces your attack surface.
  • Continuously monitoring CVE’s and NVD for vulnerabilities in your resources.
  • Make sure your organisation has a plan for monitoring, triaging and applying patches to your application/website/software.

Sources:

https://owasp.org/www-project-top-ten/
https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities
https://resources.whitesourcesoftware.com/blog-whitesource/owasp-a9-using-components-with-known-vulnerabilities

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.