This article appeared first at

Did you know that up to 90 percent of an application typically consists of third-party components, mostly open source? And did you know that more than 50 percent of the Global 500 use vulnerable open-source components?

In today’s software development environment, an enormous amount of work is crowdsourced to a large community of open-source developers and communities with very little understanding of the security problems that this creates, let alone ways to manage this risk. We all know that we can’t stop using open source, and we know that no one wants to stop using it. In a survey by BlackDuck software, 43 percent of therespondents said they believe that open-source software is superior to its commercial equivalent.

Open source is powerful, and the best developers in the world use it, but it’s time to stop ignoring the security concerns and start tracking the dependencies in your software. First I’ll give you a quick analysis of the ongoing security problem of open-source software dependencies as they relate to security risks, then I’ll wrap things up with a list of tools that you can start using now to get ahead of the curve on this issue.


Organizations usually assume most risks come from public-facing web applications. That has changed. With dozens of small components in every application, risks can come from anywhere in the codebase.

There are several reasons for this problem. For starters, most organizations do not have accurate inventories of software dependencies used by different applications. Additionally, most organization don’t have reliable means of being notified when zero-days are found or when patches are made available, other than a meager notification from the community supporting the project.


Most organizations search the CVE  and NIST Vulnerability Database for vulnerability information, but these sources provide very little information on open-source vulnerabilities. Information on open-source vulnerabilities is distributed among so many different sources that it’s very hard to track it.