Third-party code comes from a variety of different sources. Some code is developed by major organizations, such as Oracle or Microsoft, while other code is created by individual contributors and posted on StackOverflow or Github, where developers find it and integrate it into a project.
Subsequently, some code is created and released without being subjected to strong review and security testing. Even code that originates from a reputable organization can contain vulnerabilities.
When using third-party dependencies, any vulnerabilities contained within third-party code can be inherited by the application. It is essential that organizations perform application security testing on their entire codebase, including code developed both in-house and by third parties.