Risk A9 in OWASP - Use of components with vulnerabilities
In our post Qué es OWASP y por qué todo desarrollador debería conocerlo we saw an introduction to OWASP and why it is so important in web application development. Within the TOP TEN project, we will delve a little into each of the ten most critical security risks in web applications. Today it is the turn of Risk A9 - Use of components with vulnerabilities.
Definition
This risk refers to the use of software components or libraries without support or with vulnerabilities.
Examples
- An application with a vulnerable version of javascript would allow an attacker to perform an XSS attack if that is the case. Attackers can search for a list of known vulnerabilities in certain libraries and start looking for sites with outdated software.
Prevention
- Unnecessary and unused dependencies, functionalities, files, and documentation should be eliminated.
- Dependency managers such as composer or npm should be used at all costs to detect obsolete libraries and released security patches.
- Automated analysis tools can be used and subscribed to security alerts for outdated components.
- Components should only be obtained from official sources and through secure channels. Only signed packages should be used to prevent malicious modification of them.
- Supervision of libraries and components without support or with released patches should be carried out.