A map of security risks associated with using COTS

1 June 1998

journal article
Published by Institute of Electrical and Electronics Engineers (IEEE) in Computer

Vol. 31 (6) , 60-66
https://doi.org/10.1109/2.683009

Abstract

Combining Internet connectivity and COTS-based systems results in increased threats from both external and internal sources. Traditionally, security design has been a matter of risk avoidance. Now more and more members of the security community realize the impracticality and insufficiency of this doctrine. It turns out that strict development procedures can only reduce the number of flaws in a complex system, not eliminate every single one. Vulnerabilities may also be introduced by changes in the system environment or the way the system operates. Therefore, both developers and system owners must anticipate security problems and have a strategy for dealing with them. This is particularly important with COTS-based systems, because system owners have no control over the development of the components. The authors present a taxonomy of potential problem areas. It can be used to aid the analysis of security risks when using systems that to some extent contain COTS components.

Keywords

This publication has 8 references indexed in Scilit:

An analysis of a secure system based on trusted components
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2002
A quantitative model of the security intrusion process based on attacker behavior
IEEE Transactions on Software Engineering, 1997
Lattice-based access control models
Computer, 1993
Transaction Security System
IBM Systems Journal, 1991
Reflections on trusting trust
Communications of the ACM, 1984
The protection of information in computer systems
Proceedings of the IEEE, 1975
A note on the confinement problem
Communications of the ACM, 1973
Design of fault-tolerant computers
Published by Association for Computing Machinery (ACM) ,1967