Open source and risk: 4 application security action items