Once you've taken that step, you need to analyze your component repositories for vulnerable components and your key applications for known security vulnerabilities.

Finally, you must establish controls throughout the development cycle. Jackson suggests establishing policies regarding security, the use of viral licenses and out-of-date or out-of-version components. He also suggests eliminating or blacklisting known vulnerable components in internal repositories and establishing mechanisms to prevent known flawed components from entering the organization.

in CIO's Governance Drilldown.