Germany/Projekte/Top 10 fuer Entwickler-2013/A9-Benutzen von Komponenten mit bekannten Schwachstellen

Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors. Attacker identifies a weak component through scanning or manual analysis. They customize the exploit as needed and execute the attack. It gets more difficult if the used component is deep in the application. Virtually every application has these issues because most development teams don’t focus on ensuring their components stay up to date. In many cases, the developers don’t even know all the components they are using, never mind their versions. Component dependencies make things even worse. The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could be minimal, up to complete host takeover and data compromise. Consider what each vulnerability might mean for the business controlled by the affected application. It could be trivial or it could mean complete compromise.

Component vulnerabilities can cause almost any type of risk imaginable, from the trivial to sophisticated malware designed to target a specific organization. Components almost always run with the full privilege of the application, so flaws in any component can be serious, The following two vulnerable components were downloaded 22m times in 2011.


 * Apache CXF Authentication Bypass – By failing to provide an identity token, attackers could invoke any web service with full permission.
 * Spring Remote Code Execution– Abuse of the Expression Language implementation in Spring allowed attackers to execute arbitrary code, effectively taking over the server.

Every application using either of these vulnerable libraries is vulnerable to attack as both of these components are directly accessible by application users. Other vulnerable libraries, used deeper in an application, may be harder to exploit.

One option is not to use components that you didn’t write. But realistically, the best way to deal with this risk is to ensure that you keep your components up-to-date. Many open source projects (and other component sources) do not create vulnerability patches for old versions. Instead, most simply fix the problem in the next version. Software projects should have a process in place to:
 * 1) Identify the components and their versions you are using, including all dependencies. (e.g., the versions plugin).
 * 2) Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up-to-date.
 * 3) Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable licenses.

= JAVA =

Tbd
tbd '''tbd

Tbd
'''tbd
 * '''tbd
 * '''tbd

Tbd
'''tbd
 * '''tbd
 * '''tbd


 * OWASP Good Component Practices Project


 * The Unfortunate Reality of Insecure Libraries
 * Open Source Software Security
 * Addressing Security Concerns in Open Source Components
 * MITRE Common Vulnerabilities and Exposures

= .NET =

Tbd
tbd '''tbd

Tbd
'''tbd
 * '''tbd
 * '''tbd

Tbd
'''tbd
 * '''tbd
 * '''tbd


 * tbd !!


 * tbd!!

= Test =

tbd Text

tbd Text

tbd (ganze Breite) Text

Text

Text