Of all the cybersecurity weaknesses, using components with known vulnerabilities is perhaps the easiest to understand. Although this weakness is widespread, it is somewhat easy to resolve.
What does this weakness mean for me?
Using Components with Known Vulnerabilities According to OWASP: Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate severe data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine the app.
These attacks have become commonplace because it is far easier for an attacker to use a known weakness than create a specific program or attack methodology to search out vulnerabilities themselves. This fact should put known component vulnerabilities high on your security priority list to mitigate.
Examples of using components with known vulnerabilities
The following example demonstrates how you might inadvertently start using a component with a known vulnerability:
- You are building a website on WordPress and require a template and various plugins (tools) to create your fully functioning website. The plugins & templates include those made and provided by other users. These could have their own vulnerability issues, and using the plugin compromises your website’s security.
WordPress creates general updates regularly to tackle security issues. However, due to its popularity, it can still be a target.
The next example demonstrates the potential risks and the magnitude of an attack facilitated by using a component with a known vulnerability:
- The Equifax breach allowed an attacker to gain remote code execution and pivot inside the Equifax network, allowing the attacker to steal the personal information of more than 140 million customers. The entry point was a vulnerability in a version of Struts (CVE-2017-5638)
How to prevent using components with a known vulnerability
The best way to prevent using components with known vulnerabilities would be to never use third-party components and build these in house. However, this is not always possible in the real world, it just means that you need to take precautions when choosing which 3rd party tools to use or work with.
- Always upgrade components to the latest version (patching)
- It is best to use an Iasme certified and CREST accredited penetration testing company to identify cybersecurity vulnerabilities such as insecure deserialisation or insufficient logging and monitoring.