OWASP Top 10 Security Risks – Part V

To bring awareness to what threatens the integrity of websites, we are continuing a series of posts on the OWASP top 10 security risks.

The OWASP Top 10 list consists of the 10 most seen application vulnerabilities:

1. Injection
2. Broken Authentication
3. Sensitive data exposure
4. XML External Entities (XXE)
5. Broken Access control
6. Security misconfigurations
7. Cross Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with known vulnerabilities
10. Insufficient logging and monitoring

In our previous posts, we explained the first eight items on the OWASP Top 10 list. Today, we are going to explore items 9 and 10: using components with known vulnerabilities and insufficient logging and monitoring.

9. Using Components with Known Vulnerabilities

These days, even simple websites such as personal blogs have a lot of dependencies.

We can all agree that failing to update every piece of software on the backend and frontend of a website will, without a doubt, introduce heavy security risks sooner rather than later.

For example, our hacked website report for 2017 has a dedicated section around outdated CMSs. This report shows that at the time of the infection:

• 39.3% of WordPress websites were out of date;
• 69.8% of Joomla! websites were out of date;
• 65.3% of Drupal websites were out of date;
• 80.3% of Magento websites were out of date.

The question is, why aren’t we updating our software on time? Why is this still such a huge problem today?

There are some possibilities, such as:

• Webmasters/developers cannot keep up with the pace of the updates; after all, updating properly takes time.
• Legacy code won’t work on newer versions of its dependencies.

This might be a little too dramatic, but every time you disregard an update warning, you might be allowing a now known vulnerability to survive in your system. Trust me, cybercriminals are quick to investigate software and update changelogs.

Whatever the reason for running out-of-date software on your web application is, you can’t leave it unprotected. Both Sucuri and OWASP recommend virtual patching for the cases where patching is not possible.

Virtual patching affords websites that are outdated (or with known vulnerabilities) to be protected from attacks by preventing the exploitation of these vulnerabilities on the fly. This is usually done by a firewall and an intrusion detection system.

Vulnerable Applications

Vulnerable applications are usually outdated, according to OWASP if:

• You do not know the versions of all components you use (both client-side and server-side). This includes components you directly use as well as nested dependencies
• The software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.
• You do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, which leaves organizations open to many days or months of unnecessary exposure to fixed vulnerabilities.
• The software developers do not test the compatibility of updated, upgraded, or patched libraries.
• You do not secure the components’ configurations.

You can subscribe to our blog feed to be on top of website security issues.

Not having an efficient logging and monitoring process in place can increase the chances of a website compromise.

Here at Sucuri, we highly recommend that every website is properly monitored. If you need to monitor your server, OSSEC is freely available to help you. OSSEC actively monitors all aspects of system activity with file integrity monitoring, log monitoring, root check, and process monitoring.