== Security Information Overload

=== What's important?

* Is my component exploitable?
* Is my component an authentic copy?
** Do I understand why my component is modified?

=== Security information is scattered everywhere

* Multiple sources of security advisories
** 80,000+ CVEs in the National Vulnerbility Database
** Node Security Project, Metasploit, VulnDB, Snyk, ...
** Thousands of website security advisories, blogs, tweets, ...
* 600,000 GitHub events generated daily
** 700 GitHub security related events
** Release notes, change logs, code comments, ...

=== Summary

* It is not reasonable to expect a developer to continually research each component.
* Developers are not security experts; they already have a day job.