Knowing the OSS "Bill of Materials" is the starting point

Modern applications are comprised of custom code and many pieces of open source. The developer is normally very knowledgeable about their custom code but less familiar with the potential risk of the libraries/components they use. Think of the bill of materials as the list of ingredients in a recipe.

Questions we should know the answer to:

• How do we know what open source components are in our applications?

  • How do we know what versions of open source components we are using?

• How do we define the risk of open source components?

• How do we discover the risk of open source components?

  • How do we associate a specific risk to a specific version of an open source component?

• How do we know when a component releases a new version?

• How do we know if a new vulnerability is found on what was previously a "good" component?

• How do we know if we are using the authentic version of an open source component?