2017 OWASP A9 Update: Using Components With Known Vulnerabilities
Introduction
It does not take a rocket scientist to understand using components with known vulnerabilities is a very poor choice. While solving this issue may sound straightforward, i.e., using components with NO known vulnerabilities, it still is quite a challenge. As of 2017, it remains a serious issue that, if overlooked, may severely impact your business.
The Open Web Application Security Project (OWASP) is one of the most respected sources of information regarding web application vulnerabilities. OWASP’s latest update to their Ten Most Critical Web Application Security Risks list was released in 2017. While there have been some significant changes, such as the merging of insecure direct object references and missing function level access control, using components with known vulnerabilities has remained untouched in the A9 position.
11 courses, 8+ hours of training
How Is a Web App Affected by Components With Known Vulnerabilities?
Without adequate protection or alternative security controls like a web application firewall (WAF), vulnerable components (i.e., third party frameworks, modules or components) are more than likely to be identified and exploited by cybercriminals, either manually or with automated tools. This means an attacker does not need a specific target — if the search for a weak component is completed by automated scanning or performed by manual analysis, it is only a matter of time and persistence until a vulnerable application is found.
While this sort of attack can be quite common, many applications and APIs remain exposed because development teams do not ensure their components and libraries are up to date. In extreme cases, developers may not even be aware of all the components (or the versions) they are using. In this scenario, there is a great deal of weaknesses that can be exploited, including injection attacks, bypassing access controls and XSS. The impact of a successful attack can vary from a minimal nuisance to a complete takeover and major data exposure, so depending on what the application is used for, this can either be something trivial or a significant compromise to the business.
What Is an Example of a Component With Known Vulnerabilities?
A practical example of this type of vulnerability is Heartbleed, a flaw in the OpenSSL cryptographic software library discovered in 2014. This software component, whose main purpose is to protect data on web applications, had a security weakness allowing attackers to steal the information usually protected by SSL/TLS encryption. This bug allowed anyone on the Internet to read the memory of systems protected by the vulnerable versions of the OpenSSL software, compromising secret keys used to identify service providers and encrypt the traffic, names and passwords of users and the actual content.
By eavesdropping on communications, attackers could steal data directly or even impersonate the services or users. At the time this issue was discovered, half a million widely trusted websites were vulnerable to the Heartbleed bug. As of early 2017, a great number of companies (about 200,000) were still using a component with a known vulnerability.
Why Is Using Components With Known Vulnerabilities Still a Persistent Threat?
The Heartbleed bug was discovered in 2014, but still exposes a significant number of companies several years after the fix was released. Considering such examples, and this may apply to several other vulnerabilities, it stands to reason the technical aspect of the problem is just one factor.
The major challenge here is deploying a process that ensures the continuous monitoring of components in use, both client-side and server-side, for new vulnerabilities and fixing found issues as soon as possible. This can be quite a difficult task, mainly because of the lack of standardization in vulnerability reporting. Discovering the exact component in a product family with a vulnerability is often a very difficult and time-consuming endeavor. To make matters worse, several vulnerabilities can remain in the shadows since they may never get properly reported to the Common Vulnerabilities and Exposures (CVE) or the National Vulnerability Database (NVD) repositories.
How Can I Avoid Using Components With Known Vulnerabilities?
The best approach to resolving A9 issues is creating a systematic process to both identify and treat any vulnerability that may affect a web application. While some companies may have teams that will try to find weaknesses manually, in most cases, the process is performed with the aid of automated tools such as vulnerability scanners. Ideally, a combination of both automatic analysis and manual inspection should be in place.
Once a vulnerable component is found, it is important to determine whether the application using it is in fact vulnerable. This may require checking the code to confirm if the vulnerable part of the component is actually in use, and how this flaw could impact the application/business. While using automated tools can drastically reduce the time required to discover weak components, the reports generated can be quite vague, so validating vulnerabilities is a task best performed with the help of an expert professional.
Once a vulnerable component is confirmed to be in use, the usual remediation plan is updating it to the latest version. This can create another problem: Most of the time it will require code changes to the affected application. Now, if a business has a development team available, it is just a matter of allocating resources, but since many companies will simply buy a web application from a third-party developer, they may not have the necessary assets for implementing code updates right away.
To avoid these issues, it is imperative that software projects have a process in place to continuously inventory the versions of both client-side and server-side components and their dependencies. Once a vulnerability is found, you must decide whether to update the component (and the best way to deal with rewriting application code if required) or use virtual patch technology that can analyze HTTP traffic, data flow or code execution and prevent the exploit of vulnerable components.
Whatever approach your company is enforcing, it should make clear using components with known vulnerabilities without proper care for security controls is not acceptable. Management should take the necessary efforts to ensure the security and development teams understand and adhere to secure development and vulnerability management best practices. This sounds a lot more complicated than it actually is. Since it is the only practical way of guaranteeing a proper level of protection for web applications, any alternative method will expose your web application to an unknown level of risk that may severely impact company operations, reputation and finances.
How Can I Learn More About Web Application Vulnerabilities?
Infosec Institute offers secure-coding training modules for developers through its security awareness training platform, SecurityIQ, including a module on known vulnerabilities.
The platform includes training for every vulnerability included in OWASP’s 2017 list, as well as over 300 additional security awareness training modules for all employee levels and roles. Sign up for a free SecurityIQ account to get started today.
Another great option is the OWASP Top 10 Boot Camp, an interactive experience focused on providing a good mix of engaging lectures, hands-on secure coding lab activities and group exercises. This is the most current, up-to-date and hands-on secure coding training available.
11 courses, 8+ hours of training
Sources
Learn how to secure systems with 11 courses from Infosec Skills instructor and #1 best-selling author Ted Harrington.
- Hack your system
- Establish your threat model
- Spend wisely
- And more
In this Series
- 2017 OWASP A9 Update: Using Components With Known Vulnerabilities
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security