Most of us think of climbing the ladder as a good thing — but when the ladder in question is OWASP's Top 10 list of application security risks, a sudden upward trajectory is cause for alarm rather than encouragement.

In the 2021 edition of the OWASP list, vulnerable and outdated components moved up 3 positions from 9th place to 6th. This change in status reflects the increasing importance of this vulnerability in modern application development — and the growing worry with which the security community views this risk. In fact, it was rated at No. 2 in the OWASP Top 10 community survey.

So, what's behind the meteoric rise of this category in the minds of application security pros?

The challenge of visibility

The prevalence of vulnerable and outdated components — and the ease of attacks using this vector — make this an especially dangerous category. Almost all modern applications use open-source packages, and information about vulnerabilities related to these packages is widely available. Attackers who figure out what vulnerable packages you're using can use exploits that are already available. That means you have a type of attack that is widespread and straightforward.

But while upgrading and managing vulnerable and outdated components might seem simple in theory, many organizations find that, in practice, the task is anything but easy.

To complicate matters further, modern applications are using an increasing number of third-party and open-source packages. Estimates suggest around 90% of modern applications are utilizing open-source components. With a large number of dependencies — including those often-overlooked nested dependencies — regularly scanning your source code and keeping up to date with security bulletins and remediation information is daunting.

With modern CI/CD pipelines and complex infrastructure, there's a large gap between development and production, giving teams low visibility into what's running on production instances. Between source code and application instances, there's often complex machinery, multiple teams involved, and multiple points of failure. This makes it challenging for SOC analysts, incident responders, and security teams to get information they need, including:

  • The difference between vulnerabilities that are in production vs development
  • Vulnerability exposure duration
  • The difference between multiple application instances

Achieving clarity

Having the right tools in place to get a clearer view of this complex picture is key to understanding where there might be vulnerable components in your application build and remediating them quickly — before a vulnerability becomes a breach.

tCell by Rapid7 provides teams with an end-to-end approach that considers both development and production. After the application is deployed, the tCell server agent inspects packages at server startup and sends per-host package and version information to the tCell backend. Through a multitude of sources including Snyk Intel, NVD, and proprietary research, tCell is providing daily-updated vulnerability and remediation information, the tCell dashboard provides this information and more, including out-of-date packages and mismatched versions.

The packages dashboard shows a summary of packages and versions, filterable by vulnerabilities. This dashboard only has packages and versions that either were live at some point or are currently live on application instances. This helps filter out the noise for security teams, so they can see the real, critical issues and remediate them quickly.

Each package in the package dashboard has an overview providing vulnerability and remediation information.

As you drill further down, each package overview has information about exposure duration broken down per host.

Any application that uses open-source and third-party packages is at risk for attacks that leverage vulnerable and outdated components. In modern application development, that's nearly all of them.

But managing the many layers of dependencies inherent in applications that use open-source components is a challenging task for security teams, and the issues only grow worse with complex infrastructure between development and production. A tool like tCell can provide security teams the clarity they need to cut through the complexity of today's application development and production workflows, catching vulnerable components early and patching them quickly.

Check out our previous post on this year's top threat on the OWASP list: injection.