OWASP Top 10 for Developers: Using Components with Known Vulnerabilities

Andy Kofod - Sep 15 '21 - - Dev Community

The OWASP Top 10 is an open-source project that lists the ten most critical security risks to web applications. By addressing these issues, an organization can greatly improve the security of their software applications. Unfortunately, many developers aren't familiar with the list, or don't have a thorough understanding of the vulnerabilities and how to prevent them. In this series, I'm going to break down each of the vulnerabilities on the list, explain what each one is, how to identify it in your projects, and how to prevent it.

Using Components with Known Vulnerabilities

What is it?

This is one of the most prevalent issues among the OWASP Top 10. The growing reliance on third-party components creates a risk if dependencies aren't kept up to date. There are numerous tools, such as the Metasploit Framework, available to attackers, that allow them to easily identify and exploit known vulnerabilities in applications and operating systems. In many cases, a patch has been released for these vulnerable applications, but the victim organization has been slow to update their dependencies. Additionally, developers may not thoroughly understand the nested dependencies of all of the libraries that are being used in an application.

How can you identify it?

Identifying this type of vulnerability requires a thorough review of all frameworks and dependencies used in an application to check for known vulnerabilities listed in the CVE database. Additionally, applications need to be continuously monitored for newly reported vulnerabilities. This can be an extremely time consuming process, so it's safe to assume that, if your organization doesn't have a defined process for regularly updating your dependencies, then you probably have at least some vulnerabilities in your application.

How can you prevent it?

In order to prevent this issue, your organization needs to implement regular checks of your dependencies against the CVE database for known vulnerabilities, as well as establishing a process for keeping all dependencies up-to-date. Fortunately, much of this can be automated using vulnerability scanning tools, such as the OWASP Dependency Check, RetireJS, or Brakeman. Additional tools, such as WhiteSource's Renovate, provide a complete dependency management solution by automatically updating any found vulnerabilities. In addition to keeping dependencies updated, it's important to remove any dependencies that are no longer being used.

References

OWASP Top 10 Project: 9. Using Components with Known Vulnerabilities
OWASP Dependency Check Project
RetireJS
Brakeman
WhiteSource Renovate
CVE Database


Smart EDJE Image

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .