Question
how does a company formally accept software from 3rd party developers?
- what delivery acceptance tests look like?
- how to prove there are no viruses?
- what should monthly programmer notes look like?
- how do we know where/what the source code is?
- how they prove open source code or 3rd party software bolted into the main package is in contractual compliance with the organization's intended use?
Are these the right questions to ask?
Answer
Are you the client or the third party? It is hard to answer the question of contractual compliance without knowing what the contract entails.
If you are the client, you should have created the acceptance Test Cases or at least signed off on it. It is recommended that you just accept the third party's test results. Your company should execute them to have the assurance it does work as expected.
As to risk exposure, you need to execute a scan for vulnerabilities. There are several tools that do that.
Dynatrace is a well regarded one. You probably heard of the recent log4j vulnarability exposure, tools like Dynatrace look for entry points like that in the code.
hope this helps.
Gus Amaral
