OWASP Top Ten advises: Avoid using components with known vulnerabilities. Sonatype can help.

The Open Web Application Security Project (OWASP) has updated their top ten list of application security threats to now include A9, which advises against "using components with known vulnerabilities." These days, applications are 90% comprised of open source or third party components which are shared by developers worldwide. However, most traditional application security methods don’t effectively identify component vulnerabilities.

See how to address OWASP A9 and close the trust gap. Get the white paper

Why are components important to OWASP? A few eye-opening examples...

Open source fuels innovation and is vital to accelerate the pace of development, however lack of visibility into component vulnerabilities and associated fixes means that vulnerable components stay in use years after alerts are issued.

This popular open source web application framework was downloaded 80,000 times even after 30+ public vulnerability announcements.

In 2013 this cryptography API with a Level 10 critical vulnerability was downloaded 20,000 times—despite warnings given five years earlier.

A version of this component with broken SSL validation was downloaded 66,000 times one year after a critical security alert was issued.

Infographic: Learn how you can avoid using vulnerable components

You can’t secure what you can’t manage.

Despite exploding usage, most organizations can’t answer basic questions, such as:

  • What components are used in each application?
  • Which of these components have known security, license or quality issues?
  • How serious is our threat exposure?

Our research shows that 71% of applications contain at least one critical or severe open source vulnerability.

How can Sonatype help you?

Nexus Lifecycle (formerly Component Lifecycle Management) is the first solution to deliver component information, controls, and remediation options in a developer-friendly solution. You can:

Find and remediate
problems early in development using the tools that your developers use everyday. No extra work or delays.

Automate policies
for open source security, license & quality with integration throughout your software development lifecycle.

Monitor continuously
to ensure trust over time, so you'll know when a new risk is discovered and exactly where you are impacted.

See a tour of Nexus Lifecycle

Why is a unique approach needed to address component security?

Unfortunately, our dependence on components is growing faster than our ability to secure them.

While important, Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) do not effectively address component-level security.

A foundation of component governance coupled with SAST and DAST provide a holistic view of your applications risk, including not only the source code that is written and compiled but also the components that are downloaded and assembled.

Learn more about gaps in traditional application security approaches in this paper on the “7 Security Gaps in the Neglected 90% of Your Application.”

Read the white paper

What's Next?

Are there component security or license issues in your applications? Find out in in 2 minutes – it’s confidential and free.

As a free community service, Sonatype offers a proprietary application analysis tool you can use to run your own confidential "application health check."

  • Confidentially and quickly analyze your open source components
  • Create a "bill of materials" inventory of precisely which components are used and where
  • Identify specific security, quality and license risks
  • Analyze both internal and third party applications

Learn More & Start Your Analysis

Want a Nexus Continuous Advantage? Start Here.