Addressing Application Security Training Issues
How many 3rd party components, frameworks, and libraries are present within your organization’s infrastructure?
This can be a tough question to answer, but it’s an important one in a world where attackers are knocking on the doors of our servers trying to find a way in. …It’s not just operating systems that need to be patched on a regular basis …And it’s also not just commonly used applications like our browsers, or Flash, or Acrobat that need to be patched. Our developers are often using 3rd party tools to create applications to speed up the development process.
So, what happens when those 3rd party components, frameworks, and libraries are updated by their creators?
If they aren’t updated within your organization’s infrastructure on a regular basis, these vulnerable components can be as big of a security risk as if an operating system was unpatched. In fact, the OWASP Top Ten list of 2013 states that “Using Components with Known Vulnerabilities” is one of the most common issues that organizations face today. If there is not a process in place to keep track of when 3rd party components are updated, then your organization may have this vulnerability present within their infrastructure.
Keeping track of when 3rd party components are updated is a project management issue.
Often, there is no set schedule for when updates will take place, so the burden is on the users of these components to be aware of when updates occur. Keeping up to date with 3rd part components mailing lists may be a useful way to know when an update has been made. However, if the component is open source, there many not always be an announcement. …Keep it mind, it is still up to the organization that is using that component to remain vigilant for any updates (especially security updates) that are made to the 3rd party components. This may sound like an onerous and expensive process, but better this than finding out that a data breach occurred due to an 3rd party component that had a patch released for it over a year ago…but the patch was never installed!