This type of security breach is very common. The component-based development model means that most development teams don't know about the components used in their applications or APIs, let alone keep them up to date. Such as retireScanners such as JS are fine, but it takes extra time to study whether such vulnerabilities can be exploited.
While the impact on some known vulnerabilities is minimal, many of today's most serious security incidents exploit known vulnerabilities in components. Depending on the assets you are protecting, the level of risk can be high.
1. Causes of vulnerabilities.
Developers only pay attention to their own development, and do not care about the security of the third party they use.
Developers don't know all the components they use or depend on (including: server and client).
Software that is vulnerable and no longer maintained is used. This includes: 0S, web servers, application servers, database management systems (DBMS), applications, APIs, and all components, runtime environments, and libraries. Conduct vulnerability scans and subscribe to security bulletins of the components used from time to time.
Failure to fix or upgrade underlying platforms, frameworks, and dependencies in a timely manner based on risk, and software engineers did not conduct compatibility testing on newer, upgraded, or patched components. There is no security configuration for the component. (See "A6:2017 - Security Misconfiguration.") )
2. Vulnerability impact.
Vulnerability inheritance. Data loss.
Information breaches. An attacker can exploit vulnerabilities in components to carry out further attacks.
While the impact on some known vulnerabilities is minimal, many of today's most serious security incidents exploit known vulnerabilities in components. Depending on the type of asset the user is trying to protect, the level of risk can be high.
3. How to defend.
There should be a patch management process in place:
Remove unused dependencies, unneeded features, components, files, and documents;
Exploit such as versions, dependencycheck, retireJS and other tools to continuously record version information for the client and server side and their dependent libraries. Continuously monitor whether CVEs and NVDs publish vulnerability information for components that have been used, which can be automated using software analysis tools. Subscribe to email alerts about security vulnerabilities in the use of components;
Securely obtain components from official sources and use signature mechanisms to reduce the risk of components being tampered with or adding malicious vulnerabilities.
Keep the app up to date;
Monitor libraries and components that are no longer maintained or not patched. If patching is not possible, consider deploying virtual patches to monitor, detect, or protect.
Every organization should have a plan in place to monitor, review, upgrade, or change configurations throughout the software lifecycle.