OWASP #6 (2021) – Vulnerable and Outdated Components

Modern applications rely heavily on third-party libraries, frameworks, and packages. When these components are outdated or vulnerable, your app inherits their risks.

Common issues: - Using libraries with known CVEs. - Relying on unmaintained or abandoned packages. - Not patching after security updates. - Bundling unnecessary or excessive dependencies.

It’s easy to introduce these risks without realizing it - even a small sub-dependency can be the weak point attackers exploit.

To reduce risk: - Use tools to track known vulnerabilities in dependencies (e.g., npm audit, pip-audit, Snyk). - Patch regularly and automate updates where possible. - Only include the libraries you need. - Monitor upstream projects and deprecations.

Unpatched software is low-hanging fruit for attackers. Keeping dependencies up to date is basic hygiene.