Ghost Fleet

I recently finished the book "Ghost Fleet, A Novel of the Next World War" and found it both entertaining and thought provoking. In a nutshell it is about the next world war being very technology based and how our dependence on foreign manufacturing adds to our risk of that technology being malicious or subverted.
The book is a good read and there is a lot of action starting at the midpoint all the way to the end.
While hardware such as chips may be subverted there is also a risk of software containing malicious aspects that could lead to unpredictable or unexpected behavior. Several recent news articles about the government embracing open source software (OSS) made me think of how that code is vetted and by who.
Making use of OSS can have significant cost saving benefits as well as decreasing time to market there has to be a real effort taken to ensure that the code performs only as expected.

It is very enticing to simply clone a github repository and add it to the baseline but
there must be discipline to check the code for safety and security before it is introduced into your environment. It is very difficult to plan and budget tasks associated with this activity and it may be more difficult to find reliable and knowledgeable personnel that are willing to do it.
Malicious code may be waiting for particular conditions, time or any number of other factors before it is enabled and acts.

Another challenging aspect to this activity that is individual components of the code might not be dangerous by themselves but might act in conjunction with other parts in subtle ways that are very difficult to detect with a simple desk checking process.

I am big believer in how cost savings can be found using OSS but I also recognize that it is not a panacea and using it comes at a cost that must be considered in advance.