A9: Using Components with Known Vulnerabilities

App Specific

While it is easy to find already-written exploits for many known vulnerabilities, other vulnerabilities require concentrated effort to develop a custom exploit.

Prevalence

Prevalence of this issue is very widespread. Component-heavy development patterns can lead to development teams not even understanding which components they use in their application or API, much less keeping them up to date.

Some scanners such as retire.js help in detection, but determining exploitability requires additional effort.

Technical

While some known vulnerabilities lead to only minor impacts, some of the largest breaches to date have relied on exploiting known vulnerabilities in components. Depending on the assets you are protecting, perhaps this risk should be at the top of the list.

You are likely vulnerable:

If you do not know the versions of all components you use (both client-side and server-side). This includes components you directly use as well as nested dependencies.
If software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.
If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use.
If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, which leaves organizations open to many days or months of unnecessary exposure to fixed vulnerabilities.
If software developers do not test the compatibility of updated, upgraded, or patched libraries.
If you do not secure the components configurations (see A6:2017-Security Misconfiguration).

How to detect this security problem?

Valency Networks technical team is highly capable of running app scans and also perform manual vulnerability assessment to find this security problem. We can also help you re-design the code component or provide inputs towards successful fixation.

What Our Customers Say?

Valency Networks is a very techie company, focusing on a continuous improvement in service quality. Our customers like us exactly for that and that helps us keep our quality to the best extent.

Valency Networks is our only preferred vendor because the way they find vulnerabilities in our network is par excellence. We hired them on a long term contract to top up our perimeter and wish to continue with them.

CTO

Fortune 50 Manufaturing Company, Pune

Hardly goes a day when I have not learnt anything new in cyber security space and IT technologies.

Team-mate

for 6+ yrs

Working at Valency Networks helps me gain great knowledge everyday.

Team-mate,

for 3+ yrs

A9: Using Components with Known Vulnerabilities

App Specific

Prevalence

Technical

If you do not know the versions of all components you use (both client-side and server-side). This includes components you directly use as well as nested dependencies.

If software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.

If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use.

If software developers do not test the compatibility of updated, upgraded, or patched libraries.

If you do not secure the components configurations (see A6:2017-Security Misconfiguration).

How to detect this security problem?