[Owasp-topten] Do you know of any Tools (free and commercial) that help with the new 2013-A9: Using Components with Known Vulnerabilities?

Dave Wichers dave.wichers at owasp.org
Sat Sep 7 17:02:48 UTC 2013


All,

I'm wondering if there are tools already out there that can help
organizations automate their approaches to dealing with the new 2013-A9.

I live in the Java world mostly and I'm aware of a few free and commercial
tools that help with this. But I'm sure there are more. I'm particularly
interested in any automation available for other languages since I'm not
very familiar with them.

The ones I am aware of for JAVA are:

FREE:
* Versions plugin for Maven - This plugin compares the versions of each open
source library you are using against the versions available in Maven Central
and lets you know if what you are using is out of date, and if so, what
major and minor version numbers are available that are more recent than what
is currently being used.  This tool does not provide any security info, like
known CVEs or anything, but it's still very useful.

Commercial:
* Application Health Check - From Sonatype - This tool provides similar
information to what the Versions plugin provides, plus known CVEs and/or
OSVDB info.
* Contrast - From Aspect Security - Provides version and CVE information
about the open source libraries being used by the applications being
monitored by Contrast.

I'm sure there are others, hopefully lots of them. If you know of any, or
know of any lists/documentation about other tech in this area please let us
know.

I'm hoping that adding A9 to the Top 10 for 2013 will cause the creation of
many open source and commercial solutions to help make addressing this new
risk much easier than how it must be dealt with today.

-Dave



More information about the Owasp-topten mailing list