Components with known vulnerabilities

What are Components with known vulnerabilities?

Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors.

Virtually every application has these issues because most development teams don't focus on ensuring their components/libraries are up to date. In many cases, the developers don't even know all the components they are using, never mind their versions. Component dependencies make things even worse.

OWASP

How to prevent Components with known vulnerabilities

Manual updates

One option is not to use components that you didn't write. But that's not very realistic.

Most component projects do not create vulnerability patches for old versions. Instead, most simply fix the problem in the next version. So upgrading to these new versions is critical.

Use Hdiv

Risk Covered

Hdiv flow control minimizes vulnerable parts and at the same time SDLC and runtime detection is provided to prevent using vulnerable libraries.

Hdiv vulnerable software detection tools promote a more pragmatic approach, analysing software dependency both during build time and at runtime, to easily detect vulnerable bits of software that should be replaced for newer versions. The tools are designed to cover the whole application lifecycle:

  • Fast Feedback : By integrating vulnerable software detection inside build time, our tools provide fast feedback to allow replacing vulnerable pieces as soon as possible. This reduces the higher cost that could result if they are detected later in the lifecycle.
  • Complete lifetime protection : Most tools that try to cover vulnerable software detection are limited to build time. Hdiv software tools extend that to protect applications during their complete lifetime by early integration covering right up to production. This pragmatic approach allows vulnerabilities to be detected in software that may no longer be under development but whose dependencies may have been found vulnerable after some time (i.e. Heartbleed bug in OpenSSL).
  • Automatic Vulnerabilities Dashboard : Another interesting feature of the Hdiv tool, is that in production (or pre-production) environments, it keeps track of all those vulnerabilities in a centralized place, giving system administrators all this information at a glance and without having to manually run additional checks.

Hdiv provides several tools to properly handle this vulnerability: * Hdiv Maven Plugin: integrated in SDLC, eagerly detects vulnerable libraries, making them easier to change as soon as they are detected. More information * Runtime vulnerable component detection: Hdiv Agent automatically finds any vulnerable library at runtime, reporting it to the console * Risk mitigation: Although Hdiv can not update out-of-date versions of software used by the web applications, the web information flow control system impedes the exploitation of known and unknown vulnerabilities within the software. In many cases (see: Struts cancel vulnerability) risks are based on an unexpected use of a web application. Hdiv does not allow the original contract to be broken and so it is more difficult to exploit existing risks.