MITRE | The Edge Perspectives | Assuring the Safety and Security of COTS Software Products

March 2001
Volume 2
Number 1

COTS Commercial Off-the-Shelf

COTS "Solutions": Opportunities and Obstacles

Commercial Off-the-Shelf Software—Benefits and Burdens

Understanding Risks Alleviates COTS-based Systems Woes

Using COTS Means Business Not as Usual for the Government

COTS Software Licensing Accompanied by Trepidation

MITRE Roundtable
Is a COTS Solution Right for Me?

Assuring the Safety and Security of COTS Software Products

Selecting COTS Products or Services

Universal COTS Interfaces

Home > News & Events > MITRE Publications > The Edge >

Assuring the Safety and Security of COTS Software Products

COTS software products are most often “black boxes” to the end users, who can only surmise the safety or security of the software by examining the system behavior. This can raise a severe risk in critical military systems. Assuring the safety and security of COTS products is difficult because:

• The rush to market means end users become testers.

• COTS products have an unknown pedigree (who developed it, what process was used).

• The absence of source code precludes some analyses to certify the code, and it may be illegal to do reverse engineering of commercial products to deduce the code.

• Systems may not use all the features of COTS software but the unused features may have an undesirable effect on the behavior and resource consumption of the product.

Suggestions for managing these risks include:

• Determine if the vendor publishes all errors reported by users.

• Tap into user communities that do disseminate information on errors, problems, and solutions.

• Design the system to be defensive about COTS products performing critical functions by creating checks and bounds on the damage they can do if they perform incorrectly.

• Use open source products in order to be able to obtain and analyze the source code.

There are other technical issues that make thorough testing of COTS software difficult. For a discussion of these issues and the research that is needed to address them, see “Issues in the Assurance of Component-Based Software.” If you are interested in a fuller discussion on Information Assurance, read our recently published February 2001 EDGE issue devoted to this topic.

For more information, please contact Judy Clapp using the employee directory.

	Solutions That Make a Difference.® Copyright © 1997-2013, The MITRE Corporation. All rights reserved. MITRE is a registered trademark of The MITRE Corporation. Material on this site may be copied and distributed with permission only.
	Privacy Policy \| Contact Us