Components With Known Vulnerabilities

OWASP Top 10 - A9



What are Components with known vulnerabilities?

Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors.

Virtually every application has these issues because most development teams don't focus on ensuring their components/libraries are up to date. In many cases, the developers don't even know all the components they are using, never mind their versions. Component dependencies make things even worse.

owasp.org


How to prevent Components with known vulnerabilities

Manual updates

One option is not to use components that you did not write. But that is not very realistic. Most component projects do not create vulnerability patches for old versions. Instead, most simply fix the problem in the next version. So upgrading to these new versions is critical.

Use Hdiv

Risk Covered

  • Hdiv flow control minimizes vulnerable parts and at the same time SDLC and runtime detection is provided to prevent using vulnerable libraries.

Hdiv vulnerable software detection tools promote a more pragmatic approach, analysing software dependency both during build time and at runtime, to easily detect vulnerable bits of software that should be replaced for newer versions. The tools are designed to cover the whole application lifecycle:

  • Fast Feedback : By integrating vulnerable software detection inside build time, our tools provide fast feedback to allow replacing vulnerable pieces as soon as possible. This reduces the higher cost that could result if they are detected later in the lifecycle.
  • Complete lifetime protection : Most tools that try to cover vulnerable software detection are limited to build time. Hdiv software tools extend that to protect applications during their complete lifetime by early integration covering right up to production. This pragmatic approach allows vulnerabilities to be detected in software that may no longer be under development but whose dependencies may have been found vulnerable after some time (i.e. Heartbleed bug in OpenSSL).
  • Automatic Vulnerabilities Dashboard : Another interesting feature of the Hdiv tool, is that in production (or pre-production) environments, it keeps track of all those vulnerabilities in a centralized place, giving system administrators all this information at a glance and without having to manually run additional checks.