Question
how does a company formally accept software from 3rd party developers?
- what delivery acceptance tests look like?
- how to prove there are no viruses?
- what should monthly programmer notes look like?
- how do we know where/what the source code is?
- how they prove open source code or 3rd party software bolted into the main package is in contractual compliance with the organization's intended use?
Are these the right questions to ask?
Answer
Those all seem valid questions to ask. And I don't think the package should be accepted solely based on the respective answers.
You should have someone from the company thoroughly review the code and also perform extensive testing. I understand sometimes it is not feasible to review thousands of line of code manually. So in addition to code review, use tools to scan for vulnerabilities. Human review + scan. Not one or the other.
Ultimately it is on the organization's corporate security and overall design requirements. Something can be acceptable to one org and not the other.
Not a simple question but hope it helps. I'll be glad to discuss further and help any way I can.