"However, the unfortunate reality is that vulnerabilities that are found in an SDK that is utilized by third-parties will take additional time to patch: First the organization that maintains the SDK issues a fix, and some amount of time later, third-parties that utilize the SDK provide an update to their customers including these fixes," the Cisco researchers said. "This provides a rather large window of time in which miscreants can exploit vulnerabilities in third-party products."
At a time when over 80 percent of any new software application consists of third-party code, tracking vulnerabilities in outside libraries is very important. Unfortunately, studies show that many software developers not only fail at this task, but don't even have a clear picture of which third-party components they used in which of their applications.
Sign up for Computerworld eNewsletters.