OWASP vulnerable and outdated components (noun)

Rick Howard: The word is: OWASP vulnerable and outdated components. 


Rick Howard: Spelled: O for open, W for web, A for application, S for security, P for project, vulnerable, as in defenseless against attack, and outdated components as in parts that are obsolete.  


Rick Howard: Definition: Software libraries, frameworks, packages, and other components, and their dependencies (third-party code that each component uses) that have inherent security weaknesses, either through newly discovered vulnerabilities or because newer versions have superseded the deployed version.  


Rick Howard: Example sentence: Most likely you have vulnerable and outdated components on your hands if your OS or web application server or database management system is unsupported or not up to date.  


Rick Howard: Origin and context: Dave Wickers and Jeff Williams, working for Aspect Security, a software consultant company, published an education piece in 2003 on the top software security coding issues of the day. That eventually turned into the OWASP Top 10, a reference document describing the most critical security concerns for web applications. Today, OWASP is an international team of security professionals led by the Foundation Executive Director and Top 10 project leader, Andrew van der Stock, and dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. 


Rick Howard: Today there are tens of thousands of members and hundreds of chapters worldwide. In the OWASP 2021 Top 10 vulnerabilities list, the committee moved vulnerable and outdated components up three positions to number 6. This is essentially vulnerability management.  


Rick Howard: According to Rapid7, it's the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. This is hard enough to do on the systems that network defenders are directly responsible for like laptops, servers and mobile devices.  


Rick Howard: But in 2021, where a series of high profile third-party attacks against the digital supply chain, (SolarWinds, Accellion and Log4j), vulnerability management has become exponentially harder to do. According to Synopsis, in an audit of their customer base in April, 2021, "75% of all code bases were composed of open source" and "85% contained open source dependencies that were more than four years out of date."  


Rick Howard: Having the ability to know that you have open source components nested within your operational code is key and essential to minimize the risk. The industry's best practice is to deploy some kind of scanning system that continuously crawls your digital environments, discovers running software, checks for known vulnerabilities, and facilitates the patch process when discovered. To reduce the risk even further, the same zero trust strategy that we use for reducing the attack surface of employees and devices should be used for software components. This means that creating and maintaining an inventory of all your organization's software is essential.  


Rick Howard: If you have a robust software inventory, you then can deploy policy to limit software component access to only the internal resources. It absolutely needs to function and nothing else. 


Rick Howard: Nerd reference: The Panamanian law firm Mossack Fonseca closed its doors in March, 2018 due to the leak of 2.6 terabytes of data comprising 11.5 million documents on client attorney information.  


Rick Howard: According to the folks at E Munni Web, the breach resulted because of the exploitation of unpatched versions of WordPress and Drupal. Mossack Fonseca had failed to apply the appropriate security updates.  


Rick Howard: In April, 2016 on the Late Night with Seth Meyers talk show, Mr. Meyers explains the tax haven that Mossack Fonseca facilitated, and some of the government officials and celebrities who had their data leaked 


Seth Meyers: A massive leak of confidential documents known as the Panama papers has implicated as many as 12 current or former heads of states and some of the world's wealthiest people and a huge international tax avoidance and corruption scandal for more in this it's time for a closer look. 


Seth Meyers: The leaked documents come from a law firm named Mossack Fonseca. Based in Panama, a country best known for hats favored by business casual hipsters, old rich guys in sports cars, and Sean Connery, the world's hippest old rich guy. The law firm is known for helping foreigners set up shell companies in Panama to hold their financial assets in secret. 


Seth Meyers: Now, this story is massively important because it reveals the degree to which wealthy and powerful people have been allowed to hide their wealth and avoid taxes. And in this case, that includes some high profile names you may recognize. Vladmir Putin investigators say at the center of a star started list of 12 current and former heads of state, like the King of Saudi Arabia, even celebrities like Jackie Chan. 


Seth Meyers: First of all, what a shame the Jackie Chan and Vladimir Putin are showing up together in anything other than rush hour for Russian hour.  


Rick Howard: Word Notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. That mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.