Software developers always use open-source components to expedite the software development process. Though we have highest security applied for the proprietary code, these
open-source dependencies can expose us to a broad range of security and legal risks. We often see in the industry that security of Open-source libraries are just application security and
product teams responsibilities.
We often rely on application security team to perform SCA (Software composition analysis) to identify the vulnerabilities and communicate with product and engineering teams to work on
remediation. How ever we must adopt a holistic approach of dealing with open-source software.
We must have a policy of usage and policy of remediation at the organization level. We should have standards to specify how to set up and maintain repositories and libraries of open-source
software components that developers may utilize as part of a robustCI/CD pipeline.