Vulnerabilities in Software Components

Is the Application Vulnerable? You are likely vulnerable: If you do not know the versions of all components you use (both client-side and server-side). This includes components you directly use as well as nested dependencies.

Is the Application Vulnerable? If software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system DBMS, applications, APIs and all components, runtime environments, and libraries.

Is the Application Vulnerable? If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use.

Is the Application Vulnerable? If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion.

Is the Application Vulnerable? If software developers do not test the compatibility of updated, upgraded, or patched libraries.

Example Attack Scenarios - Heartbleed Heartbleed a flaw in the OpenSSL cryptographic software library discovered in 2014. This software component, whose main purpose is to protect data on web applications, had a security weakness allowing attackers to steal the information usually protected by SSL/TLS encryption.

How to Prevent? There should be a patch management process in place to: Remove unused dependencies, unnecessary features, components, files, and documentation.

How to Prevent? Continuously inventory the versions of both client-side and server-side components (e.g. frameworks, libraries) and their dependencies using tools like versions, DependencyCheck, retire.js, etc.

How to Prevent? Only obtain components from official sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component.

How to Prevent? Monitor for libraries and components that are unmaintained or do not create security patches for older versions.