Next to the security risks that the application code developed in-house pose, there is also a risk associated with components that are reused. Between 50% and 80% of modern application code is not developed in-house, but is taken from other parties in the form of packages or dependencies. Some of these might be open source, but this is not necessarily the case. There can also be components that are bought from other development companies or binaries taken from galleries such as NuGet.

Dependencies not only pose security risks, but also licensing risks. What happens if a team starts using a component that is published under the GPL license for a closed source component? If anyone ever finds out, they can be forced to open source their product, or at least suffer public shame for not using the work of others according to the license.

To mitigate these risks, a number of tools can be used to detect and scan all of the dependencies that are used when building an application. One of the tools available to do this is WhiteSource Bolt, which is available as an extension from the Azure DevOps marketplace.