Please note: this post is incomplete & pending review.
A9 – Using Components with Known Vulnerabilities
Almost all of these components, regardless of language, are written and maintained open source by third party people. As is a sad side of open source, packages can often be neglected. If a security vulnerability is discovered, it is typically reported, but up to the author to up date it. This can lead to a wide-spread issue on hundreds or thousands of apps.
To combat this it’s important to
- keep your components up to date, for the components that do receive patches
- monitor your components with a tool to ensure there’s no vulnerabilities present (for example: Github on commits will scan for known vulnerabilities and alert you)
- remove unused components
- only use components from trusted and well maintained sources
A good example of a tool is Github. Github on commits will scan for known vulnerabilities and alert you.
How Does This Apply To WordPress?
WordPress’s core team handles any compoents they use internally, teams of people are ensuring the latest and most secure for the 30% of the internet.
As developers we’re responsible for keeping the code we make up to date, andensuraing any components used are up to date and not vulnerable.
Thus far we’ve been talking about web apps in particular, but this is also true of the server the WordPress site is hosted on. Always ensure your the server and whatever package manager is up to date and contains no vulnerabilities.