how does a company formally accept software from 3rd party developers?
- what delivery acceptance tests look like?
- how to prove there are no viruses?
- what should monthly programmer notes look like?
- how do we know where/what the source code is?
- how they prove open source code or 3rd party software bolted into the main package is in contractual compliance with the organization's intended use?
Are these the right questions to ask?
These are very good questions to start with. In addition,
Make sure you cover the following bases:
1. Security - viruses are just one thing, ask them about pen testing done, system stability, fallback options, rollback plans for deployments/changes, make them reassure you that they are rock solid.
2. integration - cover it extensively - how do they integrate (apis? connectors? own build middleware? what do they offer? if they do not offer, who do they partner with? )
3. skills - what's included in their out of the box development and service package - who (role) will help all the way through, how many man hours are they offering for support - increase this if needed.
4. roadmap - what else are they working on
5. scalability and strategy - does it align with yours.
Just the few most important points that come to mind. I am happy to support further if required. I have personally evaluated over 200 RFPs in my career.
Those all seem valid questions to ask. And I don't think the package should be accepted solely based on the respective answers.
You should have someone from the company thoroughly review the code and also perform extensive testing. I understand sometimes it is not feasible to review thousands of line of code manually. So in addition to code review, use tools to scan for vulnerabilities. Human review + scan. Not one or the other.
Ultimately it is on the organization's corporate security and overall design requirements. Something can be acceptable to one org and not the other.
Not a simple question but hope it helps. I'll be glad to discuss further and help any way I can.