Risk: Using components with known vulnerabilities. Demonstrates outdated libraries, insecure deserialization, and dependency management.
Manage risk from dependencies by tracking SBOMs, scanning for CVEs, and safely upgrading or mitigating issues.
Create SBOMs, scan dependencies, and remediate or mitigate with configuration.
Governance for third-party risk: allowlists, pinning, and runtime protections.