OWASP For IoT Security - 5

A software component, such as a module, software package, or API, is an element of a system or application that enhances the functionality of the application. When a software component is unsupported, out of date, or vulnerable to a known exploit, component-based vulnerabilities arise. You might utilize vulnerable software components in production environments by accident, putting the web application at risk. Many software components have the same rights as the application, any faults or vulnerabilities in the component can put the entire application at risk. Using components with known flaws makes the application vulnerable to attacks on any level of the application stack. The following are a few attack types that may target known component vulnerabilities:

• Code injection
• Buffer overflow
• Command injection
• Cross-site scripting (XSS)

This process of updating things and ensuring that they remain up to date appears simple, but it takes a lot of effort and isn't always straightforward unless you're ready to put in additional time and change your code to ensure that it works with the latest and greatest updates.

Vulnerable components could be Operating Systems or software packages, applications, and runtime environments in the client and server-side code; insecure software configuration, and old or unpatched dependencies in the dependency chain of the components being used.
The following can be taken care of in order to avoid or get rid of such issues.

• Maintain an inventory of the components in use and make sure they're up to date.
• Reduce the attack surface and the liabilities by removing unneeded dependencies and components.
• Install the components using trusted channels and double-check their integrity. It's also preferable to utilize signed packages if available.
• Keep an eye out for any security patches for the components that are in use. If the packages in use aren't kept up to date, make sure to apply patches or switch to a different component that is well-maintained and has a large user base and support group. If at all possible, this should be done right from the start – carefully selecting the dependencies and components.

Automated tools are available to help attackers in locating unpatched or misconfigured systems. While it's often difficult or impossible to patch the internet of things (IoT), the need of doing so can't be overlooked for example in biomedical devices.