[realkitkat]

Although it does mention some risks of using 3rd party code/components in passing under 'Understanding and Controlling Dependencies' (835-), I would have expected them to make a stronger case for OWASP 2013-TOP10-A09: 'using components with known vulnerabilities'[1] type of analysis. This applies to almost any kind of modern application, not just web apps, but especially to those written in native languages (C/C++/...) as we increasingly build our applications by bringing in varying amounts of 3rd party code; open source or commercial. Like traditional static code analysis, more or less mature tooling exists in open source[2][3][4] and commercial capacity to perform static binary and source code analysis to discover and track 'offending' 3rd party code, which does make it practical to include this kind of analysis to sdl/sdlc/devops workflows.

[1] https://www.owasp.org/index.php/Top_10_2013-A9-Using_Compone... [2] http://www.binaryanalysis.org/en/home [3] https://www.owasp.org/index.php/OWASP_Dependency_Check [4] https://github.com/OWASP/SafeNuGet