A Security Practices Evaluation Framework

Description

List of components used by project but not written by project (e.g. libraries, frameworks from organization, third-parties, open-source)

Data Collection

Work with project team and/or source code to determine dependencies on components. Record the project name, source (vendor/OSS project/internal project/…), and whether the source is available for each component.