Using Components with Known Vulnerabilities prevention

WordPress + blog + secure coding + DevSecOps + Website security + OWASP TOP 10 Z. Oualid today

Background
share close

With the race to make software development even faster, companies start to adopt a new way technique based on using already developed code components. Unfortunately, this development technique comes with many security vulnerabilities that have made the software even less secure regardless of the enhancement the used development technology has put in place. So how you can prevent using components with known vulnerabilities?

Here are six things you should do to prevent using components with known vulnerabilities:

  • Use components from official repositories
  • Remove unused components
  • Only accept components with active support
  • Put a vulnerability management system for you components
  • Put in place a components firewall
  • Remove or replace components with a stopped support

Using components with known vulnerabilities is a very common vulnerability, and I have personally discovered it on multiple websites and it is also one of the OWASP TOP 10 vulnerabilities. Therefore, in this blog post, I am going to walk you through all the things that you can put in place to avoid this kind of vulnerability in your source code. I will give you also some real examples of where this type of vulnerability is commonly discovered. So if you are interested, then just keep reading.

Use components from official repositories

Software development technology has radically changed from what it was at the beginning. I mean new concepts were introduced, and there is a trend to make software development even faster. That’s why software companies start to use already developed components to accelerate the process. Moreover, a lot of people around the world have started to share their code to help others and to contribute to the open-source community.

This spirit of sharing source code is a great thing and helps in making the technology itself even more efficient. However, those source codes usually come with so many vulnerabilities and bugs, as they usually don’t get correctly tested for both security problems and functionalities bugs.

In addition, a lot of those source codes are published in a public repository where anyone can contribute to them. And yes sometimes, some bad people try to inject backdoors on them especially if they know that a certain source code is very popular among developers.

Therefore, software development companies should avoid those kinds of source code and stick to only components coming from official repositories.

Of course, this will reduce the software development speed as not all the useful components are published in the official repositories. However, it will help avoid this type of vulnerability that can be destructive to your web application.

Remove unused components

In many cases, developers tend to forget about unused components and simply leave them in the application source code. You should know that this is very dangerous and could make your website vulnerable if any of those unused components has a known vulnerability.

Having a source code in your website either used or not still accessible from a regular website user through a path brute-forcing. Therefore, by finding the path to these components the attacker can execute its code and exploit the vulnerability.

I have seen this many times when I was performing a penetration test against a WordPress website. in many cases, webmasters just deactivate a plugin as they just don’t use it anymore and forget about it. By disabling a plugin you stop updating it, which in many cases leads to making it vulnerable to know vulnerabilities that get patched in the best scenarios by their vendors in newer versions.

Only accept components with active support

When you as a developer or as a webmaster need to include new components in your website, try to first check if it has great support. Trust me, source code without real support is useless, even if it has the best feature you want. Even if the component was developed with security in mind and all those stuff.

For example, at any moment any library of the used technology can be discovered as vulnerable. Then you will need to make an update, and without active support, you may wait for weeks or even months before fixing it.

If you have the right expertise and skills to maintain these components without the need for the vendor, then it is okay to use them. However, a full code review should be done to this source code to reduce the risk of possible vulnerabilities or backdoors that can be discovered in near future by security researchers.

Put a vulnerability management system for your components

You should know that having components from an official repository does not mean that these components are clean from vulnerabilities. Therefore, putting in place a vulnerability management system is required to secure your application.

A vulnerability management system in the context of development is a system that will collect feeds from multiple sources and alerts you if any vulnerability gets discovered in your components. Moreover, this system will manage the whole lifecycle of a vulnerability from detection to patching.

Even after patching a vulnerability a lot of produced patch may create other vulnerabilities itself or at least do not fully cover the vulnerability, in other words, get bypassed by other techniques. Therefore, the vulnerability management system will keep an eye on that and alerts you if something like this happens.

Put in place a components firewall

Checking manually if a component has a vulnerability or not is not always feasible especially when dealing with NodJs or technologies that use multiple libraries and plugins at once. Therefore, using a sort of components firewall that you go through once you want to get a component is very useful.

This technology makes all the necessary checks for you to ensure that you don’t use vulnerable components. This technology is being used especially in DevSecOps where we try to automate as much as possible the security checks.

Here are two of the most popular firewalls in the market:

Unfortunately, and to the best of my knowledge, there is no components security firewall for CMS-based websites like WordPress or Joomla, or any other one.

Remove or replace components with a stopped support

In many cases, some used components fall at the end-of-life situation, which stops their support. In this situation, you have two options. If you have the skills to keep maintaining these components and update them whenever a new vulnerability is detected then keep using them. However, if you don’t, then you should remove or replace them.

Written by: Z. Oualid

Rate it

About the author
Avatar

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).


Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *