Here’s a typical example from an audit we did in 2007. This is from a well known enterprise software company. They were very diligent about keeping track of what was going into their software and had catalogued 303 open source components they were using. But as you can see here they were way off base and the actual number was 838. We discovered 535 components—big moving parts critical to their product—that they had no idea were there. And there is nothing unique about their situation. We have seen something similar in every audit we’ve ever done. Based on our experience it is a virtual certainty that your company’s software is similar. This means that you are using components that probably have known security exploits that are listed in the NVD, and that your undocumented code is also unpatched and un-upgraded.