9. Using Components With Known Vulnerabilities. This vulnerability’s title states its nature; it describes when applications are built and run using components that contain known vulnerabilities.
- Example: Due to the volume of components used in development, a development team may not even know or understand the components used in their application. This can result in them being out-of-date and thus vulnerable to attack.
- Solution: Remove unused dependencies, unnecessary features, components, files, and documentation.Continuously inventory the versions of both client-side and server-side components.
10. Insufficient Logging And Monitoring. Logging and monitoring are activities that should be performed to an application frequently, to guarantee it is secure, and working as it should. Failure to adequately log and monitor a site leaves it vulnerable to more severe compromising activities.
- Example: Events that can be audited, like logins, failed logins, and other important activities, are not logged, leading to a vulnerable application, and developers not able to detect those vulnerabilities.
- Solution: Ensure all failures can be logged with sufficient user context to identify suspicious or malicious accounts. Establish effective monitoring and alerting such that suspicious activities are detected and responded to in a timely fashion. Ensure that logs are generated in a format that can be easily consumed by a centralized log management solutions.
