Exploring the OWASP Top 10

One of the top ten security risks identified by OWASP is vulnerable and outdated components, which they talk about in this report: https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/. Applications have been using more and more pre-existing components rather than being coded completely from scratch. Web applications often need fast turnaround, and with the increasing quantity of open-source components available, it is no shock that developers are making use of it. In fact, an estimated 96% of applications use at least some open source components. On average, more than half of an application’s codebase consists of open-source code according to https://www.immuniweb.com/blog/OWASP-vulnerable-and-outdated-components.html. The result of this can be new websites and applications with deeply embedded vulnerabilities that are unknown to the application operator. Once those vulnerabilities are discovered and publicized, applications that use that vulnerable component may be found and exploited.

Components typically run with the same privileges as the application itself, so flaws in any component can result in serious impact. Such flaws may be accidental, such as a coding error, or intentional, such as a backdoor in a component. There are automated tools to help attackers find unpatched or misconfigured systems.

This is a risk if you do not know the versions of all the components you use, if your software is vulnerable or out of date, if you do not regularly scan for vulnerabilities and read updated information about the components you use, If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion, or if software developers do not  test the compatibility of updated, upgraded, or patched libraries. You can find more possible risks, as well as prevention methods, in this guide: https://info.veracode.com/rs/790-ZKW-291/images/vulnerable-and-outdated-components-prevention-guide-en.pdf.

There should also be a process in place to remove unused dependencies, unnecessary features, components, or files. Continuously inventory the versions of both client-side and server-side components and their dependencies, only obtain components from official sources over secure links, and monitor for libraries and components that are not maintained or do not create security patches for older versions because they may be insecure. This image gives a briefer, easier to understand explanation about vulnerable components: