OWASP Top Ten – Vulnerable and Outdated Components

  • Home
  • OWASP Top Ten – Vulnerable and Outdated Components

Vulnerable and Outdated Components

This is the first post in a series of posts that will cover the OWASP Top Ten. Today’s post will cover Vulnerable and Outdated Components.

This is a very common vulnerability found in nearly every penetration test. It basically boils down to using software that has not been updated and/or software that is obsolete (and unsupported). This sounds like something that can be easily remediated, but sometimes it can be very hard.

For example, frequently Brackish testers find Operational Technology (OT) devices that are long out of date, but replacing or updating these devices can be significantly troublesome. Take a boiler system that was installed 25 years ago that heats the whole complex and for which there is no software update. The replacement of this system could be very time consuming and costly, and will not happen overnight.

Preparation and prevention

In this case, preparation is key to prevention. To start with, upgrades to hardware and software need to be factored into budgets to allow for vulnerable and outdated components to be upgraded/replaced as necessary.

Furthermore, all software in use within a business should be inventoried. This is called a Software Bill of Materials. This will enable a quick determination to be made as to whether your business is running a vulnerable application/package/module/etc.

Penetration Testing

One of the main components of a penetration test is scanning for outdated components with known vulnerabilities. These vulnerabilities could allow an attacker to access systems and information they are not supposed to access. Brackish Security can help you with this. Our testers have significant experience finding outdated and vulnerable components. In fact, Brackish testers have found multiple novel exploits and vulnerabilities, and have been awarded multiple CVEs.

Contact us today for a free quote!