Using Components with Known Vulnerabilities

OWASP lists “Using Components with Known Vulnerabilities” as a major issue. Developers tend to pull in libraries from nuget and other sources rather than writting their own components. In general these components are probably of a better quality than an individual would write. However as they are in the public domain once a weakness is found hackers know to look for the same weakness in different sites.

It is difficult to try and keep up to date with every alert. The most sensible approach would seem to be

  • Only include a component or library in your code if you really need it in the first place. If it does only one thing in one place is it needed? Don’t let developers randomly add libraries
  • Maybe try and stick to commonly used libraries and components
  • Build a list of the components and libraries with versions you do use
  • At a regular intervals update the libraries to the latest versions

You can try to keep an eye on security  alerts etc but in my experience unless you have a few large well funded products this will not happen as developers do not have the time.

There is this nuget package from OWASP that will check that none of your nuget packages have know issues.

I tried this library within a solution. Basically I used nuget to add it to every project. The first problem I had was with our web proxy which it did not seem to like. I managed to hook up my machine without the proxy and it seemed to work ok reporting no errors. I will try it on a larger solution and see if it throws an error.

Now you just need to look at the commercial components you use or anything not added through nuget and check these are up to date.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s