A posting from Dark Reading in there Application Security section:
During the past decade, developers have increasingly leaned on third-party components, such as open-source libraries, to dramatically lighten the load during coding. These components can help reduce time spent adding basic or universal features and functions so that developers can focus their work on the innovative code that will differentiate their applications from the crowd. Unfortunately, this valuable short cut adds another layer of risk to the development process.
“The cost of including a library has gone way down. Developers aren’t stupid, so they’re naturally going to say, ‘I don’t have to write that code, I’ll just pay a library to do it,'” says Jeff Williams, CEO of Aspect Security and a key volunteer in the OWASP organization, who explains that the resultant risk is that developers are pulling in potentially insecure code and running it with the full privilege of the application. “I can’t really underestimate the amount of risk we’re talking about here. If there is vulnerability in the library, you’ve now exposed everything that that application is in control of.”
To read more click here: