OWASP A06:2021 – Vulnerable and Outdated Components

Owned by Uwe Wahser
Last updated: Aug 01, 2023
1 min read

Description

You are likely vulnerable:

  • If you do not know the versions of all components you use (both client-side and server-side). This includes components you directly use as well as nested dependencies.

  • If the software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.

  • If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use.

  • If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, leaving organizations open to days or months of unnecessary exposure to fixed vulnerabilities.

  • If software developers do not test the compatibility of updated, upgraded, or patched libraries.

  • If you do not secure the components’ configurations (see A05:2021-Security Misconfiguration).

Further Reading

Did you encounter a problem or do you have a suggestion?

Please contact our Service Desk


This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/