Dana wants to ensure that her software acquisition process for open source software is as secure as possible. What should she to do validate the security of the open source software?

Dependency checking for open source software is a common best practice to help ensure that underlying components do not have known security vulnerabilities. There are dependency security checking applications and tools available that Dana could use to help with this process. Software source code escrow is often used to ensure that organizations can obtain the software code if a company goes out of business or other adverse events occur that might endanger the company relying on the code. Reviewing the source code for an entire application is outside of the scope and capability of the majority of organizations, particularly when other dependencies are included. Purchasing software from a known vendor can help, but does not necessarily ensure that the software is secure and dependencies don’t introduce or include known issues.