BS - We've known about this for years - Proof? (Score 1)

Security researchers have known about vulnerabilities in third-party components for years. Anytime you increase the attack surface of an application through the use of third-party components (commercial or open source), you're potentially introducing vulnerabilities that you didn't create. A formal study was conducted by Aspect Security in 2012. https://www.aspectsecurity.com... which illustrates how big of a problem this actually is. Up until this time, the security community always knew it was a problem, but didn't have much stats to back up their claims. This research (as well as other data points) was essential for OWASP to introduce a new category in the OWASP Top Ten 2013 - A9: Using Components with Known Vulnerabilities. 2014 was not "the year we learned how vulnerable third party code libraries are". It was the year that organizations which had no security best practices in place, paid a much higher price than organizations that did.