Of all the cybersecurity weaknesses, using components with known vulnerabilities is perhaps the easiest to understand. Although this weakness is widespread, it is somewhat easy to resolve.
What is this vulnerability?
According to OWASP: Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate severe data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine the app.
These attacks have become commonplace because it is far easier for an attacker to use a known weakness than create a specific program or attack methodology to search out vulnerabilities themselves. This fact should put known component vulnerabilities high on your security priority list to mitigate.
Examples of using components with known vulnerabilities
The following example demonstrates how you might inadvertently start using a component with a known vulnerability:
- You are building a website on WordPress and require a template and various plugins (tools) to create your fully functioning website. The plugins & templates include those made and provided by other users. These could have their own vulnerability issues, and using the plugin compromises your website’s security.
WordPress creates general updates regularly to tackle security issues. However, due to its popularity, it can still be a target.
The next example demonstrates the potential risks and the magnitude of an attack facilitated by using a component with a known vulnerability:
- The Equifax breach allowed an attacker to gain remote code execution and pivot inside the Equifax network, allowing the attacker to steal the personal information of more than 140 million customers. The entry point was a vulnerability in a version of Struts (CVE-2017-5638)
How to prevent using components with a known vulnerability
The best way to prevent using components with known vulnerabilities would be to never use third-party components and build these in house. However, this is not always possible in the real world, it just means that you need to take precautions when choosing which 3rd party tools to use or work with.
- Always upgrade components to the latest version (patching)
- Use a security technology platform such as Darktrace Immune System, which leverages AI to detect sophisticated cyber threats
- Avoid using a junior penetration tester. It is best to use an Iasme certified and CREST accredited penetration testing company to identify cybersecurity vulnerabilities such as insecure deserialisation or insufficient logging and monitoring.
Contact Omnicyber Security to find out how our pen testing can seek out any components your web apps use that have vulnerabilities, explain what they are, and how to resolve them.