how does a company formally accept software from 3rd party developers?
- what delivery acceptance tests look like?
- how to prove there are no viruses?
- what should monthly programmer notes look like?
- how do we know where/what the source code is?
- how they prove open source code or 3rd party software bolted into the main package is in contractual compliance with the organization's intended use?
Are these the right questions to ask?
There are several ways in which a company can formally accept software from 3rd party developers.
One of the most popular methods is to form an agreement with the developer wherein they will sign a contract and make it clear that they have developed a piece of software for you. Once you have signed this contract, it becomes legally binding between you and the developer and there's no way back from it.
If your company does not have any such formal agreements in place, then you need to do some more research on how other companies have been doing things so that you can adopt similar strategies. There are plenty of articles available online that provide all the information about these strategies. Just google "how to form an agreement" or "what should be included in software development agreement" for more details on this topic.
For more information, you can schedule a call and we can discuss in detail.
Are you the client or the third party? It is hard to answer the question of contractual compliance without knowing what the contract entails.
If you are the client, you should have created the acceptance Test Cases or at least signed off on it. It is recommended that you just accept the third party's test results. Your company should execute them to have the assurance it does work as expected.
As to risk exposure, you need to execute a scan for vulnerabilities. There are several tools that do that.
Dynatrace is a well regarded one. You probably heard of the recent log4j vulnarability exposure, tools like Dynatrace look for entry points like that in the code.
hope this helps.