Most of us think of climbing the ladder as a good thing — but when the ladder in question is OWASP's Top 10 list of application security risks, a sudden upward trajectory is cause for alarm rather than encouragement.
In the 2021 edition of the OWASP list, vulnerable and outdated components moved up 3 positions from 9th place to 6th. This change in status reflects the increasing importance of this vulnerability in modern application development — and the growing worry with which the security community views this risk. In fact, it was rated at No. 2 in the OWASP Top 10 community survey.
So, what's behind the meteoric rise of this category in the minds of application security pros?
The challenge of visibility
The prevalence of vulnerable and outdated components — and the ease of attacks using this vector — make this an especially dangerous category. Almost all modern applications use open-source packages, and information about vulnerabilities related to these packages is widely available. Attackers who figure out what vulnerable packages you're using can use exploits that are already available. That means you have a type of attack that is widespread and straightforward.
But while upgrading and managing vulnerable and outdated components might seem simple in theory, many organizations find that, in practice, the task is anything but easy.
To complicate matters further, modern applications are using an increasing number of third-party and open-source packages. Estimates suggest around 90% of modern applications are utilizing open-source components. With a large number of dependencies — including those often-overlooked nested dependencies — regularly scanning your source code and keeping up to date with security bul ..
Support the originator by clicking the read the rest link below.
