OWASP A9 - Maintain the latest security patch level for third party libraries and software

Asked Aug 21 '15 at 11:57

Active Aug 21 '15 at 12:09

Viewed 113 times

In wanting to produce secure code, a common requirement is to not use outdated libraries and frameworks in code bases (for example the OWASP A9 requirement).

I understand the reason to do this, but it does not seem like there is an easy way to determine whether or not all the different applications we have and support has libraries or frameworks that need to be updated (of course there is a hard way - manually looking at every single build file and looking up each of the framework's current version).

What open source mechanisms are there to show me some sort of view of the libraries I use, the version I use and the current version that is out there?

edited Aug 21 '15 at 12:09

asked Aug 21 '15 at 11:57

whoami

This is too broad as a question: there are proprietary and opensource tools so ... – Aug 21 '15 at 12:06
I've updated the question to be a little more specific as to what I want – whoami Aug 21 '15 at 12:10
One tool is OWASP Dependency Check – paj28 Aug 21 '15 at 12:32
3

Unfortunately I don't think this question is answerable in the scope of the site. Product recommendations are off-scope (they are ontpic at thttp://softwarerecs.stackexchange.com/) and any other answer would be a generic (find what libraries you have and use a tool to check for available patches) – Rory McCune Aug 21 '15 at 12:51
There is an easy way: https://www.owasp.org/index.php/OWASP_Dependency_Check – Neil McGuigan Aug 21 '15 at 18:43

OWASP A9 - Maintain the latest security patch level for third party libraries and software

0 Answers0