Day 10: OWASP Top 10 2021 – #6 Vulnerable and Outdated Components

Posted on by

www.wallarm.com

Many present distributed web applications use open source libraries and frameworks as part of their design. Any part that has a known vulnerability develops into a weak point that can compromise the security of the entire application.

Any software or code that is vulnerable, unsupported, or out of date falls into the Vulnerable and Outdated Components category. It has climbed up from ninth place and was formerly named Using Components with Known Vulnerabilities.

Impact of Vulnerable and Outdated Components

In other words, what is the impact of using components with known vulnerabilities?

  • Although often less focused on, using software and libraries with vulnerabilities subjects your system to future attacks if not updated or patched.
Remedy to Vulnerable and Outdated Components

Continuously checking all code components for known vulnerabilities and applying patches or other remedies as soon as a vulnerability is discovered are the best forms of defense. The following best practices increase the potency of this line of defense:

  • Configuration management should apply to all components incorporated into the organization’s frameworks.
  • All of the components that need to be monitored must be automatically discovered by the scanner.
  • A thorough vulnerability database that has been enhanced with threat intelligence data should be used for scanning.
  • To minimize the operational risk associated with patching, the patch management workflows for selecting, testing, and delivering the appropriate patch should be as automated as possible.
CWEs List for Vulnerable and Outdated Components
  1. CWE-937 OWASP Top 10 2013: Using Components with Known Vulnerabilities
  2. CWE-1035 2017 Top 10 A9: Using Components with Known Vulnerabilities
  3. CWE-1104 Use of Unmaintained Third Party Components
References To Get More Understanding of Vulnerable and Outdated Components
  • https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/
  • https://www.immuniweb.com/blog/OWASP-vulnerable-and-outdated-components.html
  • https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities

This will be all for the Day 10 post. Hope you enjoyed it, kindly let me know in the comments section. Be sure to check out other blog posts of interest or come back tomorrow for the next day’s post.