Open-source packages and container images bring in vulnerabilities​.

Dependencies get new vulnerabilities over time and get EOL’ed. More secure, newer versions are created but not taken up by direct dependencies. ​

Businesses need innovation and developers rely on software from opaque, open-source packages to innovate at pace and at scale. No other industry lets engineers select components based on personal preferences for a reason. It's hard to trust components built by strangers outside of a secure, regulated supply chain.

Open-source packages depend on other open-source packages, which depend on other open-source packages - up to 60 levels deep. Developers cant see static dependencies, nor can most AppSec tools. Do you really know what’s in your software?​

From an announcement to knowing impacts to mitigating the vulnerability should only take seconds, not months. The longer it takes, the longer an organization stays at risk.​