Commercial off-the-shelf (COTS) software is a type of software that is readily available for purchase from a vendor or a third party, and that can be used with little or no modification. COTS software is often cheaper, faster, and easier to acquire and deploy than custom or in-house developed software, as it does not require extensive development, testing, or maintenance efforts. However, COTS software also presents some additional security concerns, such as:
Exploits for COTS software are well documented and publicly available. COTS software is widely used by many organizations and individuals, which makes it an attractive target for attackers. Moreover, the vulnerabilities and exploits for COTS software are often disclosed and published by security researchers, vendors, or hackers, which makes them accessible to anyone who wants to exploit them. Therefore, COTS software users need to apply the security patches and updates provided by the vendors as soon as possible, and monitor the security advisories and bulletins for any new threats or issues.
Vendors may not provide adequate support or updates for COTS software. COTS software users depend on the vendors or the third parties for the security and functionality of the software. However, the vendors may not provide timely or sufficient support or updates for the software, especially if the software is outdated, discontinued, or unsupported. This may leave the users with unpatched or insecure software, which can expose them to various risks and attacks. Therefore, COTS software users need to evaluate the vendor’s reputation, track record, and service level agreements, and ensure that the software is compatible and compliant with their security requirements and standards.
COTS software may not meet the specific needs or expectations of the users. COTS software is designed to meet the general or common needs of a broad range of users, which may not match the specific or unique needs or expectations of some users. For example, COTS software may not have the desired features, functions, or performance that the users require, or it may have some unwanted or unnecessary features, functions, or components that the users do not need. This may result in reduced efficiency, productivity, or satisfaction for the users, or increased complexity, overhead, or waste for the system. Therefore, COTS software users need to conduct a thorough analysis and evaluation of the software before purchasing or deploying it, and ensure that it meets their business and technical objectives and criteria. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 10: Software Development Security, page 663. Official (ISC)² CISSP CBK Reference, Fifth Edition, Domain 8: Software Development Security, page 1005.
