After this lesson, you will be able to: Recognize, find, and fix Vulnerable and Outdated Components (OWASP A06): using libraries, frameworks, or runtimes with known vulnerabilities.
Vulnerable and Outdated Components is OWASP A06: modern apps are mostly other people's code (dependencies), and a known CVE in any of them is your vulnerability. This is one of the easiest categories to exploit (the exploit is often public) and one of the easiest to fix (update the dependency).
Every app pulls in dozens to thousands of dependencies (npm, pip, Maven, OS packages, the framework, the runtime). When one has a published vulnerability (a CVE), and you are running the affected version, attackers can use the public exploit against you. The risk compounds because dependencies have their own dependencies (transitive), and teams often do not know their full software bill of materials or how old it is.
This category is largely automatable.
Generate a software bill of materials (SBOM): know every dependency and version.
Run dependency scanners: `npm audit`, `pip-audit`, OWASP Dependency-Check, Snyk, or GitHub Dependabot alerts.
Scan container images (Trivy, Docker Scout) for vulnerable OS packages and libraries.
Check the runtime/framework version against its end-of-life and known CVEs.
Wire these scans into CI so a new critical CVE in a dependency surfaces on every build.
Update, automate, and remove what you do not use.
# FIND known-vulnerable dependenciesnpm audit # Nodepip-audit # Pythontrivy image myapp:1.2.3 # container image# FIXnpm audit fix # apply safe updates# then bump remaining flagged packages to a patched version + retest# PREVENT (the durable fix)# - Enable Dependabot / Renovate to open update PRs automatically.# - Fail CI on High/Critical CVEs (e.g. trivy --exit-code 1 --severity HIGH,CRITICAL).# - Remove unused dependencies (less code = fewer CVEs).# - Track end-of-life: don't run an unsupported framework/runtime.
Pick the best answer.
Sign in and purchase access to unlock this lesson.