OWASP Topic: A06:2021-Vulnerable and Outdated Components
- Jen C
- Nov 7
- 3 min read
“Vulnerable Components are a known issue that we struggle to test and assess risk and is the only category to not have any Common Vulnerability and Exposures (CVEs) mapped to...” https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/
Vulnerable and Outdated Components. Ugh. Gross. Sounds like a communicable disease and an outdated vaccine for an application. Wait, maybe that’s a good analogy. Let’s roll with it.
What exactly is a Vulnerable and Outdated Component? Simply put, a vulnerable and outdated component occurs when third-party libraries (open-source), frameworks, or proprietary code are no longer maintained or contain software vulnerabilities. They include security flaws that those nasty attackers can exploit and, as per usual, gain unauthorized access to take control of the system or access our sensitive data. If not monitored, these outdated components can remain in place for years, yes, years, before they are discovered and patched — but it might be too late. These are tough to test for and assess risk without proper tooling. No worries, we’ll cover that in more detail.
What are some signs/symptoms of vulnerable and outdated components?
You are likely vulnerable if…
You have no idea of the versions of ALL components used directly and nested dependencies on both the client and server sides.
You have out-of-date, unsupported, or already known-to-be vulnerable software. This could include anything from the operating system to web/application servers, database management systems, APIs, and so on.
You do not regularly scan for vulnerabilities with a tool such as Checkmarx SCA.
You do not read security bulletins about the components you use.
You do not test that updated, upgraded, or patched libraries are compatible.
What are some of the risks of not being vaccinated, err, I mean, updated and no longer vulnerable?
Attackers can exploit vulnerabilities to gain access, which can lead to security problems such as data breaches, financial losses, and reputational damage.
Attackers/Threat Actors are already aware of the outdated software and have reverse-engineered it to gain access.
Data loss or corruption can occur due to compatibility issues with other software and hardware.
How do I know whether I’m at risk or not? Ask these questions…
Do we have an inventory to check versions frequently?
Do we consult the vulnerability database?
Do we perform security scans, such as Checkmarx SCA?
Do we properly manage patches?
Do we properly review code?
Do we conduct penetration testing?
Oh man, how can I prevent this?
The most obvious is to maintain an inventory of ALL components and software, and ensure they are kept up-to-date by implementing a patch management process.
Continuously inventory the versions and the dependencies.
This should include third-party libraries or frameworks.
Frequently scan using a software composition analysis tool (SCA) like Checkmarx. (This can help identify known vulnerabilities in components you use and provide recommendations for remediation).
Remove those unused dependencies, unnecessary features, components, and documentation.
Subscribe to security bulletins for components you use to stay informed about any security vulnerabilities.
Apply updates promptly!!
Avoid using a component that is outdated or has an inactive development community.
Please please please only obtain components from official sources and, please, over secure links. Please. We don’t want to download malicious components!
The fact is, we all play a part in maintaining our application’s health.
Keep components updated promptly
Wash your hands
Run SCA scans and remediate found vulnerabilities swiftly
Cover your mouth when you sneeze
Only use legit components from legit sources
Don’t come to work if you have a fever
Stay well, friends!
-Jen
Comments