Introduction
In the modern world, software plays a pivotal role in a variety of organizations. This makes the problem of software security paramount, for disruptions and hacker attacks may pose significant risks to numerous stakeholders. This paper considers the pros and cons of commercial off-the-shelf software when it comes to security risks; discusses the benefits and drawbacks of using the Common Criteria for Information Technology Security Evaluation; and offers an integrated perspective when it comes to considering the purchase of commercial off-the-shelf software via the prism of security standards.
Strengths and Weaknesses of COTS Software: Security Issues
Commercial off-the-shelf (COTS) software is software that is sold ready-made and is often offered to the wide public (Merkow & Raghavan, 2010). It can be contrasted with custom-made software, which is often utilized by organizations.
On the whole, COTS software is associated with a number of serious security risks. For instance, COTS software is usually mass-produced and generic (Miller, 2013). Thus, it is often more likely to be targeted by malefactors, at least because it is usually more attractive to attack mass-used software than custom-made code, for more targets can be attacked; an organization can even be harmed as part of collateral damage (Miller, 2013). In addition, using COTS software often poses the same dangers as utilizing any untested coding; in fact, it is stated that more than half of COTS software may fail to meet acceptable degrees of security (Veracode, n.d.). In cases when there are vulnerabilities in COTS software, it is possible for an organization utilizing it to suffer from such problems as loss of the data, cross-site scripting, denial of service, invasion of privacy, or a number of other issues resulting from attacks carried out by malicious software or hackers (Veracode, n.d.). Also, COTS software producers often tend to have rather limited liability (Miller, 2013).
However, COTS software offers numerous advantages, e.g., reduction in the time of development (such software can simply be purchased, there is no need to wait until it is created), or lower rates of errors due to lowered complexity (McGraw & Viega, n.d.). Because of these advantages, COTS software is often used by numerous companies. However, it is recommended to take preventive steps to ensure greater security and resiliency of COTS software if it is used by an organization (Miller, 2013).
Pros and Cons of the Common Criteria, and Reasons for Existence of Alternative IT Security Evaluation Methods
Nowadays, the Common Criteria for Information Technology Security Evaluation (or simply the Common Criteria) are utilized across the world as a framework for assessing the security properties of information technologies (Common Criteria, 2017; Merkow & Raghavan, 2010, pp. 192-193).
Common Criteria provide a number of benefits. For instance, they supply standards for assessing the degree of security of software that can be utilized in different legal systems. This means that, while, e.g., purchasing software created in a different country, a client (or the developer) would have to make sure that the software meets the security criteria of the country where the customer is located, so a double evaluation (according to the home standards of the developer and the buyer) would be required. This problem is solved when common criteria are accepted (Merkow & Raghavan, 2010). Also, adherence to the Common Criteria permits clients to ensure that at least some minimal levels of security are met by the software they purchase, and also allows for some minimally objective comparison of various software products.
Nevertheless, there exist some problems related to the Common Criteria (Conklin, White, Williams, Davis, & Cothren, 2016). For instance, it is needed to continuously update these standards so as to meet new possible threats to security (Conklin et al., 2016). Also, the process of ensuring the adherence to the Common Criteria may in certain cases be redundant or not viable for some types of software, which increases the efforts required to create such software while the benefits of this are rather limited (Merkow & Raghavan, 2010, p. 208). In addition, the process of review of adherence to the criteria may take too much time, so that when the product receives certification, it becomes obsolete (Merkow & Raghavan, 2010). Certain other issues related to the use of the Common Criteria also exist.
Because of these drawbacks, there also are some other security standards. These standards might pertain to some particular types of software, so as to better reflect the concrete requirements that are important for that type of software; or they may regulate safety standards within some specific industry, such as aviation, where it is pivotal that software meets higher safety standards than on the average (Merkow & Raghavan, 2010).
Conclusion: An Integrated Perspective
On the whole, the use of COTS software poses a number of significant security risks to an organization that opts to purchase and utilize it. Therefore, a company that decides to use COTS software needs to be wary of the potential risks posed by it, and make effort to ensure that it safe enough so as not to endanger the organization severely. A possible way to do so is to ensure that the software complies with certain safety standards, such as the Common Criteria. These Criteria may allow for ensuring that software possesses at least some minimal acceptable levels of security. However, in some industries, such as aviation, it is pivotal that software meets stricter security standards, because the risks posed by hacker attacks may be significant, and even dangerous.
References
Common Criteria. (2017). Common methodology for information technology security evaluation. Web.
Conklin, A., White, G., Williams, D., Davis, R., & Cothren, C. (2016). Principles of computer security (4th ed.). New York, NY: McGraw Hill.
McGraw, G., & Viega, J. (n.d.).Why COTS software increases security risks. Web.
Merkow, M. S., & Raghavan, L. (2010). Secure and resilient software development. Boca Raton, FL: CRC Press.
Miller, C. (2013). Security considerations in managing COTS software. Web.
Veracode. (n.d.). Commercial off the shelf software – COTS. Web.