What are vulnerable and outdated components?
Vulnerable and outdated components refer to when open-source or proprietary code contains software vulnerabilities or is no longer maintained. This code can be in the form of libraries or frameworks, and for web applications this can include Laravel (PHP), Angular (JavaScript), Django (Python) and many others. Unfortunately, this code is often implemented with little or no consideration for security, leading to potentially grievous consequences for application users and putting the reputation of companies at risk.
While zero-day vulnerabilities are sometimes discovered in third-party components and leveraged to breach sensitive systems, most breaches are due to weaknesses already well known to IT professionals. Unfortunately, fixing the issue can be quite complex and is not as simple as running an update command or downloading updated packages.
Risks and benefits of open source libraries
Almost all applications use open-source libraries instead of coding everything from scratch to make development faster and easier. Software developers are often under significant pressure to deliver as quickly as possible which means these components are often not checked thoroughly enough before implementation. Once a vulnerable component is discovered by criminals, applications using this component can be identified and exploited. While the vulnerability might seem like a small weakness in the code, in some cases it can lead to a full system compromise. Such a breach can have a grave impact on customer data and potentially lead to lost revenue and severe reputational damage to an organization.
Zero-day vulnerabilities
Zero-day vulnerabilities do pop up from time to time, but they’re usually not the most pressing issue for most businesses. According to Gartner, the vast majority of exploited vulnerabilities are those that IT professionals are already aware of, and an estimated 60% of organizations that suffered a recent data breach indicated it was due to a known vulnerability that had yet to be patched.
An example of this that gained widespread media attention is when the American credit reporting bureau, Equifax, disclosed that its systems had been breached in 2017. The breach was due to the exploitation of Apache Struts, a popular open-source web application framework. Equifax executives had been aware of the vulnerable software for months before the hack but failed to take action. This compromise resulted in the theft of highly sensitive information including the names, birthdates, addresses and social security numbers of 147.7 million citizens, almost half of the U.S. population.
Reducing the risk of vulnerable and outdated components
Locating known threats in vulnerable and outdated components is often fairly straightforward, and both MITRE and NIST maintain large, easily searchable databases of Common Vulnerabilities and Exposures, or CVEs for short. Finding exploits to many of these CVE’s can also be very simple, and Offensive Security has an extensive collection of exploit code available to the public. If an application contains vulnerabilities that are available on a public database, the software should be considered at risk until it has been patched.
Managing these third-party components can involve an enormous amount of time and resources. You might be tempted to think that running updates or upgrading to newer software versions is not a big deal, but the reality is far from it. Some applications might break after making changes leading to a chain of dependency issues, some features may be deprecated, functions could be renamed and a whole host of other problems could arise. In the best-case scenario, the updates will work smoothly or require minor tweaks to the code, but these changes could just as easily end up gobbling up significant amounts of time and money, causing major headaches all around.
Securing your web applications
While dealing with vulnerable and outdated components can be difficult, there are steps that can be taken to address this risk. OWASP, the Open Web Application Security Project has several useful recommendations.
First and foremost, there should be a patch management process in place for your applications. This process should include removal of unused dependencies, features, components, files, and documentation. Also, versions of both client and server-side components must be constantly monitored as well as their dependencies. Software composition analysis tools can be used to help automate this process and it is also recommended to subscribe to email alerts for CVE’s that involve components in your application.
Furthermore, components should only be obtained from trusted sources with a preference for signed packages to preserve data integrity. It is also recommended to test all patches and updates within a staging environment to avoid introducing unexpected issues into production systems. A web application penetration test can help to better understand the risks and vulnerabilities present in your applications as well as help to create a plan to remediate them.