Using Known Vulnerabilities is a broad term for using software where the developers have discovered an issue/breach and fixed it then released a patch, but the user is still using the outdated version of the software.
In a lot of cases when there are serious breaches, the details are made public over time and the developers/suppliers release a fixed version of the software.
If a user is still using the existing version of the software, a malicious user could search for any breaches/fixes for the software and exploit them. Often the details are freely and publicly available – another reason whey it’s very important to patch often.
A9 – Using Known Vulnerabilities is often confused with A6 Security Misconfiguration, but the difference is in that A6 is concerned with the setup of a device or piece of software (e.g. defaul login credentials on a router or webcam etc), where A9 is concerned with users not keeping up with fixes.
Here are a couple of videos I found that expand on this
Ways to avoid suffering #9 Using Known Vulnerabilities
- Patch regularly
- Keep informed with the latest breaches
- Avoid legacy, discontinued, or unsupported software where possible
Thanks for reading, my next post will be the last item on the 2017 OWASP Top Ten #10 Insufficient Logging and Monitoring!
I have created an account to track my goals on Habitica, if you would like to find/add me my user id is: b2d1d942-f62b-4487-a77b-58c8a93baa9c
Disclaimer: My posts for this project reflect my own understanding of the topics, if I’ve missed the point completely please pull me up and correct me in the comments section and I’ll fix it up asap. Also, if you know of any examples of the vulnerability and how best to protect against it please share 🙂