Is Your Web Application Exposed to Known Vulnerable Components?
Because of the prevalence of open source components being used for both commercial off the shelf software and in house developed applications, OWASP introduced a new entry in 2013: A9 – Using Components with Known Vulnerabilities. Today, even more open source libraries and packages are in use.
There have been many highly publicized vulnerabilities and actual attacks reported in the last few years. For example, OpenSSL is a commonly used component and attacks have been widespread. BEAST, Lucky Thirteen, BREACH, POODLE, Heartbleed, and FREAK have all been due to the underlying libraries associated with secure communication.
When even organizations with mature software development practices are exposed to significant levels of vulnerable components, it is imperative that operations, security, and development are all able to concisely share relevant information related to the health and security of their components. They also need to actually understand which components are actively used so that unnecessary components can be uninstalled or deactivated. The sooner the problem can be isolated, the easier it is to correct it.
Sonatype’s 2016 State of the Software Supply Chain Report.pdf found that almost 7% of components of components in use had security issues and 6% of downloaded components contain vulnerabilities. The impact of these components can be greatly escalated depending on how they are leveraged. If an application calls one of these components for critical functionality, then there is a great deal at risk.
Another Sonatype reports states that “re-usable components now comprise 80-90% of an average application thus exposing organizations to potential security, license and quality risks”. Source: Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components with Known Vulnerabilities
Black Duck's scans of their customers uncovered “67% of commercial applications reviewed that contained security vulnerabilities in open source components.” Source: Open Source Security Report: The State of Open Source Security in Commercial Applications
BrixBits Security Analyzer provides several different ways of providing insight into this issue. Components are seen when they are used by the web applications and are checked against the NVD. Realtime events can be leveraged in production and exhaustive reports can be run in a UAT environment. It is best to use UAT as this is the most comprehensive testing of an application that would follow as many paths as possible in the code. Events for insecure and out of date secure communication protocols and ciphers, so this is another valuable source of information to overcome known vulnerable components.