At the very least, this will apply a 'many eyes' to some of the SSL code and so long as the ssh pruning isn't wholesale slash-and-burn that cutting it back may prove efficacious for two reasons.
Less code can be simpler code, with decreased likelihood of there being a bug due to complexity and interaction.
Getting rid of the special cases such as VMS and Windows also reduces the complexity.
I get criticised occasionally for long and detailed posts that some readers complain treat them like beginners, but sadly if I don't I get comments such as this in reply
Data Loss is something you prevent; you enforce controls to prevent data
leakage, DLP can be a programme, but , I find very difficult to support
with a policy.
Does one have visions of chasing escaping data over the net with a three-ring binder labelled "Policy"?
Let me try again.
Policy comes first.
Without policy giving direction, purpose and justification, supplying the basis for measurement, quality and applicability (never mind issues such as configuration) then you are working on an ad-hoc basis.
The use of third-party code in applications represents a big security
risk for companies, according to a study from security vendor Veracode.
but they go on in such a way as to make me wonder what they mean by 'third party'. Some of what they discuss seems to come from the primary supplier. Now if the primary supplier contracted out work, how are you to know?
Companies often use code libraries that have been developed from either
open-source projects or outsourcing organizations that have been
contracted to create applications...
I wouldn't be so quick to disparage open source projects. Some of them have demonstrated much better code quality, much better reliability and security than commercial products from first-tier vendors.
"Variable quality"? Well yes, but that goes for the products from first tier vendors. "Ship at the end of the month regardless". Yes, I've seen that. "Release to satisfy the investors/wall street". I've seen that too. Open Source doesn't have those constraints.