Relying on open source doesn’t mean you are opening your organization up to vulnerabilities, as long as you review the code for any security concerns. Unlike proprietary software, open source code is fully viewable and, thus, auditable. So the key for enterprise use of open source is to make sure you’re not undermanaging it. But while the opportunity is there, the expertise may not be, and the auditability that is often touted as an advantage of open source may not be for every organization using it. Many users do not have the time, expertise or wherewithal to conduct security audits of the open source they use so we need to consider other avenues to obtain similar assurances in that code. When sensitive workloads are deployed, of course, trust is not enough. “Trust but verify” is a key mantra to keep in mind.
Link: The risk of undermanaged open source software