The federal IT procurement safety net may be developing some holes.
Many federal developers are forgoing traditional software purchasing in favor of going directly to the source and downloading code from tens of millions of open source repositories and libraries. While this can certainly expedite innovation, it also has the potential to expose agencies to security risks if they’re not careful.
This backdoor approach to code procurement can let in some unwanted visitors through that door: unknown and dangerous vulnerabilities that may have gone undetected in the code. Without the checks and balances of procurement, how can they be sure that the code they are downloading does not contain some form of malware or another bad actor? How can they stay agile while keeping their applications and networks safe?
A rigorous procurement process that takes into account security hygiene and quality assurance can help keep the bad stuff from getting into the system. Circumventing that process can create a couple of different challenges.
Keep reading this article at: https://www.nextgov.com/ideas/2018/12/bypassing-procurement-can-introduce-some-unwanted-visitors/153144/