Top 10 Web Security Risks: Using Components with Known Vulnerabilities (#9)

The Open Web Application Security Project (OWASP) has released their top 10 web security risks and number nine is using components with known vulnerabilities. Almost every big piece of software today uses external components or libraries. They provide significant advantages in terms of time and effort and, if selected carefully, they allow developers to bring the experience and expertise of other organizations into their own projects.

Defining the Problem

No software package is perfect, and even though the organizations distributing these components work hard to make good products, they are aware that mistakes happen. When using external libraries in your project it’s important to keep in mind that you are bringing in good functionality and important features, but you are also opening the door for potential bugs and security vulnerabilities.

A recent example of this is the ‘remote-code execution with Expression Language injection’ vulnerability that was recently introduced through the Spring Framework for Java. The issue was fixed soon after it was discovered and a fixed version of the framework was published. However, it is estimated that 29.8 million downloads contain the known vulnerability.

OWASP outlines using components with known vulnerabilities as follows:

Detection & Prevention

Take the time to look at existing documentation for the components your project is using as well as forums and posts reviewing the product you’re considering. Most of the providers are quick to inform users when vulnerabilities are found.

One of the biggest issues with this kind of threat comes from a lack of attention on the part of the users. When the vulnerabilities are detected fixes and updated versions tend to appear promptly, but many users neglect updating their components. This allows the flaws to linger in their code, for years in some cases.

A proactive approach to avoid being affected by known vulnerabilities or to prevent undiscovered ones is to wrap the functionality added by the external components with your own code. This way, you can control what comes in and out of the external components effectively adding your own layer of security.

Summary

The benefits of using external components in your projects are undisputable, but it is essential to remain vigilant about what vulnerabilities you allow into your systems. Stay informed about the components you use and make sure you address reported issues appropriately, either by using the latest versions and fixes or by adding your own layer of security.

Be sure to follow us on Twitter or LinkedIn for more great tips.  Have a question related to the blog series or  web security in general?  Use the comments section below to join the conversation.

• Web Security
• OWASP
• Open Web Application Security Project
• Using Components With Known Vulnerabilities