Ring in the Holiday Season with Blazing Offers on
Most Popular Courses. Upto 50% OFF

Security in COTS Software in SDLC

‘Software security’ is a crucial aspect of Information security that bolts the multitude of viruses, malware, breaches, hacks, and ransomware attacks in the tech world. This is perfectly described in the eighth domain of the CISSP certification exam.

With “software” powering every sector of our digital life, there are thousands and thousands of lines of code written to make it all work smoothly. In all probabilities, this software will be on several legacy systems as well as new systems. Legacy systems continue to remain in an organization as it is a difficult process to transition them out and create “new systems.” There will be a/several “software bugs” or “vulnerability” that might have escaped the keen eye and moved into the production environment in both legacy systems and “new systems.”

Security in new systems can be incorporated, but security in legacy systems will have various vulnerabilities due to the adoption of COTS (commercially off the shelf) products.

Risks when working with COTS products:

COTS products will be more prone to security loopholes since they are third-party software incorporated into an organization.  Here are some of the risks when working with COTS products:

  1. 1. They are always vulnerable to attacks

Hackers find new and innovative places to hack and gain critical and vital information. COTS products are vulnerable, and hacking them produces valuable corporate information, and this can be used for personal or professional gain.

  1. 2. Security of COTS products cannot be verified

Most organizations cannot review the source code of COTS products, and they have to be used as such, and their security cannot be verified. Buyers of COTS products have to depend on the security promises given by the vendor and proceed.  Customers might also have to rely on published security reports and reviews.

  1. 3. Easy availability of COTS products

COTS applications are much more easily available in the black hat community. Information such as vulnerabilities and various attack patterns are freely discussed and plotted to someone’s gain, which is a huge security risk for customers of the product.

  1. 4. Limited liability

All customers of COTS products must absolve the vendors of any software related flaws and damages. COTS products are subjected to limited liability and come with explicit declaration statements that state that vendors cannot be held responsible for any software flaws and vulnerabilities.

  1. 5. COTS products are generic

In addition, COTS products are created in a generic way, and it is up to the customer to customize them as per their needs. However, since they are generic, these COTS products might lack the full functionality to take advantage of the security infrastructure in the customer’s environment.


Mitigation strategies:

Here is a list of mitigation strategies to overcome the risks listed above:

  1. 1. Know your components

With security vulnerabilities possible in every small component in software, it is essential to know the smallest component in the COTS software. This ensures the security of the organization is not compromised in any way. 

  1. 2. Understand the connection between components

In order to mitigate the risks of COTS products, it is necessary to understand the connection between the different components. This will help us understand how a vulnerability or threat in one component will affect the other components and lessen their impact.

  1. 3. Secure infrastructure

It is not possible to ensure security if the product is installed in an insecure infrastructure. All COTS products have to be installed in a totally and secure environment.  In this case, the environment involves the operating system, the network, the databases, and the connected infrastructure will reduce security risk if secure.

  1. 4. Refer questions to the vendor

It is always good for any nagging or persistent questions to ask the vendor and solve the security risks immediately. It is also good to ask the vendor and know about the security problems encountered earlier and the patches introduced when working with the product.

  1. 5. Community might

Before purchasing a COTS product, customers should engage in user communities and read about the appropriate product. Customers need not believe all that is written but should do adequate research before purchasing the product.

  1. 6. Consult a security expert

In case of any problem, security experts have to be roped in to solve the security issues. Security experts can also be called before purchasing the product and during testing too. 

  1. 7. Look for certified products

Customers should depend on COTS products’ certification through third-party vendors to ensure adequate quality of the product. CMMI certification and ISO certification are some certifications that ensure the quality of the products.

  1. 8. Keep track of updates

Another way to mitigate risks to COTS products is to keep track of updates from the vendor. When a vulnerability is detected in a product, it is quickly discussed in public forums. Patches are released by the vendor, and these have to be updated promptly by the customer to reduce the risks. 

  1. 9. Monitor and audit

All products should be monitored regularly and audited with a fresh new and outside perspective. Auditing by an outsider will bring out critical points in the software e, which is another way to mitigate risks.

Software security is a huge topic, and it is continuously evolving with time. We have seen some of the risks when working with COTS products and some mitigation strategies in this article.


Jayanthi Manikandan ( )
Cyber Security Analyst
Jayanthi Manikandan has a Master’s degree in Information systems with a specialization in Information Assurance from Walsh college, Detroit, MI. She is passionate about Information security and has been writing about it for the past 6 years. She is currently ‘Security researcher at InfoSec train.
Establishing Governance and Risk-Managemen