A9 – Where to look for known vulnerabilities on third-party components
Today's Web applications are no longer the work of a single developer nor of a single development team; nowadays developing a functional, user-friendly, attractive-looking Web application implies the use of third-party components, such as programming libraries, APIs to external services (Facebook, Google, Twitter), development frameworks, and many other components in which programming, testing, and patching have very little or nothing to do.
Sometimes these third-party components are found vulnerable to attacks and they transfer those vulnerabilities to our applications. Many of the applications that implement vulnerable components take a long time to be patched, representing a weak spot in an entire organization's security. That's why OWASP classifies the use of third-party components with known vulnerabilities as the ninth most critical threat to a Web application's security.
In this recipe, we will see where to look...