OWASP Top 10 Part 9: Using Components with Known Vulnerabilities

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> OWASP top 10, Number 9:
00:00
Using components with known vulnerabilities.
00:00
In this lesson we're going to talk about the risks
00:00
associated with components with known vulnerabilities,
00:00
the impact and techniques to
00:00
address the consequences of
00:00
using components with known vulnerabilities.
00:00
Vulnerabilities are everywhere.
00:00
The more important thing is being
00:00
aware of potential vulnerabilities.
00:00
All these applications in the cloud,
00:00
web applications especially they may
00:00
use different versions of software or components.
00:00
That creates dependencies depending on
00:00
what version of the application you're running and
00:00
then also in order to prefer physical performance or
00:00
functionality which versions of
00:00
underlying software or libraries are being used.
00:00
Vulnerabilities especially crop up with
00:00
software that is older and it's unsupportive,
00:00
meaning new patches to
00:00
the vulnerabilities are not coming out.
00:00
Another important thing is that
00:00
vulnerabilities can continue to crop up if
00:00
you're not doing effective patching and scanning of
00:00
your web applications to ensure that
00:00
known vulnerabilities are discovered and remediated.
00:00
That takes us to the prevention aspect of it.
00:00
In order to patch known vulnerabilities,
00:00
you have to know what software you're using,
00:00
what libraries are being used in your application.
00:00
You really need to create
00:00
an appropriate software inventory
00:00
to keep an eye out for vulnerabilities.
00:00
Many of the common vulnerabilities
00:00
that are out there are,
00:00
have a common vulnerabilities and exposure,
00:00
a CVE number associated with them.
00:00
By setting up alerts related to
00:00
the software that you're
00:00
using as well as the libraries you are using,
00:00
you can keep an eye on new vulnerabilities as they
00:00
emerge and patch them
00:00
accordingly to readdress those vulnerabilities.
00:00
If you have to use
00:00
an older or unsupported version of software,
00:00
you really need to introduce
00:00
further controls regarding logging and monitoring to
00:00
make sure that you detect any possible exploit of
00:00
those existing vulnerabilities If
00:00
you truly need them for a business reason.
00:00
Quiz question, what does CVE stands for?
00:00
Common Vulnerable Execution.
00:00
Common vulnerabilities and Exposures.
00:00
Change Vulnerable Exposure.
00:00
If you said Common Vulnerabilities
00:00
and Exposures, you are correct.
00:00
You will often see CVE followed by a year and then
00:00
a particular number referencing the year
00:00
the vulnerability was
00:00
>> discovered and then its identifier.
00:00
>> Staying on top of CVEs related
00:00
to software and applications
00:00
that your organization uses is critical to
00:00
ensure that they are not exploited.
00:00
In summary,
00:00
we talked about the risks that are associated with
00:00
using components with known
00:00
>> vulnerabilities, the impact,
00:00
>> namely that they'll be more easily exploitable and
00:00
that the older the vulnerability is,
00:00
the more likely it is that
00:00
threat actors will know about it.
00:00
Then the methods to address these exploits,
00:00
basically patching and being
00:00
aware of what software you're using,
00:00
the underlying dependencies and
00:00
the libraries that it utilizes,
00:00
and then setting up appropriate alerts to determine,
00:00
discover any new vulnerabilities
00:00
that emerge and patching them accordingly.
00:00
All right, I'll see you in the next lesson.
Up Next