Software applications are generally developed by integrating many existing software components. That is, instead of developing new applications from a blank slate, most software applications are built by combining many, at times hundreds of, existing software components such as, proprietary components (e.g., closed-source libraries or device drivers) and Free and Open Source Software (FOSS) components. Furthermore, these components are often created and offered by third-party vendors (e.g., vendors other than the developer of an application that incorporate the components).
Yet, a software vendor that distributes software applications is responsible for ensuring the security of the final applications, regardless of the security of individual components of the application. In other words, a vendor that distributes a software application has the same responsibility to ensure the security of third-party components of the application as it has for the application code developed by the vendor itself. In general, this leads to the need for complex and dynamic software tracking and security monitoring policies.