In some industries in the UK assurance testing of software is a requirement. This can be a challenge for closed source software, and attempting to reverse engineer such software is usually in breach of the EULA. An alternative method of assurance testing is fuzzing, which can help to identify security gaps and coding errors. The technique involves sending large quantities of data to the input fields of an application and observing any crashes. Correlating the specific input with the crash will yield an opportunity for further exploration.

I have used this technique to identify vulnerabilities in Programamble Logic Controllers.

I am afraid that the most secure way of protecting your computer and data from espionage is NEVER connect it to Internet or any networks. Practically it is impossible these days, since you can not set-up newly purchased computer without connecting it to Internet. All other methods, like SW inspections or reviews - sorry to say - give only impression of security because with tools available to average or even above-average computer user we do not have skills and capabilities to detects various sorts of malitious SW developed and used by specialized agencies. Various sorts of espionage SW modules can be "inserted" into normal application and/or systems SW without giving user any clue that such modules have been added. Some protection give various sorts of antivirus SW, but also in this case we, users, do not have 100 % guarantee that our machine and assets are free of risk being subject of espionage. Everything which I wrote sounds pessimistic, but it is reality. We are surrounded and we are using SW containing millions lines of code, developed by various parties, who not always disclose their practices towards users. Just small example: WhatsApp, which was collecting and giving away data to some governmental agencies. Therefore it is illusion to expect that in an "open" usage of IT we can protect to 100 % from espionage.

The ability to inspect or review code from a third-party can be complex. Purchased software from a legal and contractual point of view tends to prohibit any inspection from a code perspective, also companies are not obligated to disclose there software testing and review processes furthermore their findings. We would hope they are following some form of an accredited standard on software testing, development, and implementation, in which can help lower the risk of a secure software deployment. But once the software is downloaded or purchased, there are a number of tools that can assist with tracking software integrity like checksums, comparing hashes,etc.. but that is a small fraction to prevention on all levels. Software inspection means nothing if your legally not privileged to all the code or even the UML models. Not having a sound model or knowing the behavior of the software being deployed can be trivial trying to secure. But let's say the software was secured utilizing a standard practice, but the implementation and deployment are flawed then we have discredited the entire process. Implementation seems to be an area were most of us discover security flaws in our environments. That's why some organizations are going back to developing there own software components rather than downloading and purchasing anything. Yes, it is more cost effective to purchase a solution for the long term but there is a risk associated with it. if you look at the many code reviews going on internally and then a decision to implement their product utilizing flawed api's and software frameworks, its all in vain. All that work produced and deployed just to have your adversaries attack the flaws in your architecture and implementation. But I do agree with at least a mandatory inspection of software purchased and or downloaded before implementing it or at least give yourself a window into tracking the integrity of these components. Remember, detecting and slowing down the adversary is probably the most accurate when it comes to reality.