Assess Security Impact of Acquired Software
When an organization combines with or purchases another organization, the acquired source code, repository access and design, and intellectual property should analyze and review to assess security. Also, the phases of the development cycle should review.
There are some use cases that bear further discussion:
- Open source: Never rely on previous software testing and people who have tested it. You must test open source software yourself. Specially, you must test security vulnerabilities in OpenSSL, jQuery, and MongoDB.
- Commercial: Confirming the security of commercial tools is usually more difficult than open source, because the source code usually is not available to examine. Fortunately, some vendors voluntarily permit security consulting firms to examine their software for vulnerabilities and permit customers to view test results.
- Software libraries: Here we mean libraries, collections of software modules that by themselves are not programs, but are used to build programs or used by programs while they’re running. You need to test the security of these libraries yourself because there are many that are not secure.
- Operating systems: It doesn’t matter if the purchased operating system is open source (such as various Linux distributions) or not. However, you should consider its security aspects. There are good tools for this purpose, among which we can mention to Nessus, and Rapid7.