OWASP Top Ten 2017 | A9:2017-Using Components with Known Vulnerabilities

Overview

OWASP Top Ten 2017 highlights the security vulnerability of using components with known vulnerabilities. This issue occurs when development teams are not aware of the components used in their application or API, leading to outdated or unsupported software. Exploiting known vulnerabilities in components is a common tactic used by attackers to gain unauthorized access.

Description

The A9:2017-Using Components with Known Vulnerabilities is a prevalent security weakness that can have significant impacts. While some known vulnerabilities may cause minor issues, several high-profile breaches have resulted from exploiting these vulnerabilities. It is crucial for organizations to understand and address this risk to protect their assets.

How to Prevent ?

To prevent the usage of components with known vulnerabilities, organizations should establish a patch management process. This process should include regularly scanning for vulnerabilities, subscribing to security bulletins, and fixing or upgrading platforms, frameworks, and dependencies in a timely manner. Additionally, securing component configurations and obtaining components from official sources over secure links can reduce the risk of including malicious components. Ongoing monitoring, triaging, and updates are essential for maintaining the security of applications.

Example Attack Scenarios:

• Scenario #1: Exploiting Component Flaws:  Components run with the same privileges as the application, making them a potential entry point for attackers. Flaws in components, whether accidental or intentional, can have serious impacts. For example, the CVE-2017-5638 vulnerability in Struts 2 allowed remote code execution and led to significant breaches. Patching vulnerabilities in components, including IoT devices, is crucial to prevent exploitation.