147:
security professionals in
December 2012 that found that only 14% of companies perform security reviews on every commercial application brought in house, and over half of other companies do not perform security assessments. Instead companies either rely on vendor reputation (25%) and legal liability agreements (14%) or they have no policies for dealing with COTS at all and therefore have limited visibility into the risks introduced into their software supply chain by COTS.
146:
indicate that supply chain disruption poses a major threat. Gartner predicts that "enterprise IT supply chains will be targeted and compromised, forcing changes in the structure of the IT marketplace and how IT will be managed moving forward". Also, the SANS Institute published a survey of 700 IT and
172:
outlines specific practices to ensure that SOUP components support the safety requirements for the device being developed. In the case where the software components are COTS, DHS best practices for COTS software risk review can be applied. Simply being COTS software does not necessarily imply the
114:
COTS can be obtained and operated at a lower cost over in-house development, and provide increased reliability and quality over custom-built software as these are developed by specialists within the industry and are validated by various independent organizations, often over an extended period of
81:
Although COTS products can be used out of the box, in practice the COTS product must be configured to achieve the needs of the business and integrated to existing organizational systems. Extending the functionality of COTS products via custom development is also an option, however this decision
210:
problems have led to government-industry partnerships, where various businesses agree to stabilize some product versions for government use and plan some future features, in those product lines, as a joint effort. Hence, some partnerships have led to complaints of favoritism, to avoiding
234:, where a simple solution would have sufficed instead. Such comparisons also consider whether a group is creating a make-work system to justify extra funding, rather than providing a low-cost system which meets the basic needs, regardless of the use of COTS products.
167:
or methodology, which precludes its use in medical devices. In this industry, faults in software components could become system failures in the device itself if the steps are not taken to ensure fair and safe standards are complied with. The standard
66:
is a COTS software provider. Goods and construction materials may qualify as COTS but bulk cargo does not. Services associated with the commercial items may also qualify as COTS, including installation services, training services, and cloud services.
131:. The risks are compounded when COTS software is integrated or networked with other software products to create a new composite application or a system of systems. The composite application can inherit risks from its COTS components.
82:
should be carefully considered due to the long term support and maintenance implications. Such customized functionality is not supported by the COTS vendor, so brings its own sets of issues when upgrading the COTS product.
226:(and materials) which would become obsolete within 10 years. All these considerations lead to compare a simple solution (such as "paper & pencil") to avoid overly complex solutions creating a "
609:
43:) products are packaged or canned (ready-made) hardware or software, which are adapted aftermarket to the needs of the purchasing organization, rather than the commissioning of custom-made, or
62:(FAR) has defined "COTS" as a formal term for commercial items, including services, available in the commercial marketplace that can be bought and used under government contract. For example,
127:, software security is a serious risk of using COTS software. If the COTS software contains severe security vulnerabilities it can introduce significant risk into an organization's
85:
The use of COTS has been mandated across many government and business programs, as such products may offer significant savings in procurement, development, and maintenance.
413:
124:
111:
COTS software and services are built and delivered usually from a third party vendor. COTS can be purchased, leased or even licensed to the general public.
628:
304:
55:
245:
planned for processor upgrades during development, and switched to the more widely supported C++ programming language. They have also moved from
384:
356:
540:
488:
242:
593:
670:
253:. This moves more of the avionic design from fixed circuits to software that can be applied to future generations of hardware.
59:
421:
512:
173:
lack of a fault history or transparent software development process. For well documented COTS software a distinction as
164:
160:
294:
238:
196:
135:
206:. In general, COTS product obsolescence can require customized support or development of a replacement system. Such
289:
565:
96:
279:
75:
624:
212:
274:
464:
284:
227:
192:
128:
665:
92:
360:
381:
269:
231:
88:
Motivations for using COTS components include hopes for reduction system whole of life costs.
163:
or software of unknown provenance), i.e., software that has not been developed with a known
632:
597:
388:
382:"Impact of Commercial-Off-The-Shelf (COTS) Software and Technology on Systems Engineering"
71:
91:
In the 1990s, many regarded COTS as extremely effective in reducing the time and cost of
589:
649:
156:
143:
100:
17:
659:
299:
207:
95:. COTS software came with many not-so-obvious tradeoffs – a reduction in initial
414:"Supply-Chain Risk Management: Incorporating Security into Software Development"
216:
138:
issues related to the use of COTS. However, software industry observers such as
223:
203:
650:"Commercial" is not the opposite of Free-Libre / Open Source Software (FLOSS)
169:
63:
335:
202:
on the PS3 in April 2010, leaving no means to procure functioning Linux
170:
IEC 62304:2006 "Medical device software – Software life cycle processes"
309:
199:
139:
134:
The US Department of
Homeland Security has sponsored efforts to manage
44:
610:"F-35 jet fighters to take integrated avionics to a whole new level."
394:
443:
222:
There is also the danger of pre-purchasing a multi-decade supply of
257:
237:
Applying the lessons of processor obsolescence learned during the
186:
625:"U.S. Navy Selects Lockheed Martin for Submarine Sonar Upgrades."
250:
246:
177:
SOUP is made, meaning that it may be used in medical devices.
159:
industry, COTS software can sometimes be identified as SOUP (
103:, security issues and incompatibilities from future changes.
590:"US Air Force gets a migraine from Sony's latest PS3 update"
465:"SANS Survey on Application Security Programs and Practices"
99:
over an increase in software component-integration work,
51:, refers to COTS products for use by the U.S. military.
407:
405:
489:"Build and Validate Safety in Medical Device Software"
444:"Maverick Research: Living in a World Without Trust"
418:Department of Homeland Security: Build Security In
191:A striking example of product obsolescence are
125:United States Department of Homeland Security
8:
256:COTS components are part of upgrades to the
442:MacDonald, Neil; Valdes, Ray (2012-10-05).
412:Ellison, Bob; Woody, Carol (2010-03-15).
305:Open Trusted Technology Provider Standard
399:, August 2001, accessed January 28, 2009
27:Products that are not heavily customized
463:Bird, Jim; Kim, Frank (December 2012).
326:
215:practices, and to claims of the use of
219:agreements where not actually needed.
7:
613:Military & Aerospace Electronics
337:U.S. Federal Acquisition Regulations
37:commercially available off-the-shelf
70:COTS purchases are alternatives to
513:"Medical Devices & Technology"
260:of United States Navy submarines.
25:
541:"Medical Design - Machine Design"
359:. Acquisition.gov. Archived from
243:Lockheed Martin F-35 Lightning II
195:, which used Linux to operate.
76:government-funded developments
60:Federal Acquisition Regulation
1:
47:, solutions. A related term,
165:software development process
161:software of unknown pedigree
487:Hobbs, Chris (2012-01-04).
295:Independent software vendor
239:Lockheed Martin F-22 Raptor
136:supply chain cyber security
687:
493:Medical Electronics Design
290:Host Based Security System
184:
151:Issues in other industries
74:or one-off developments –
631:January 18, 2011, at the
200:disabled the use of Linux
97:cost and development time
596:August 20, 2012, at the
280:Government off-the-shelf
101:dependency on the vendor
33:Commercial-off-the-shelf
275:Commodity off-the-shelf
213:competitive procurement
671:Engineering management
566:"PlayStation Support"
285:Non-developmental item
193:PlayStation 3 clusters
54:In the context of the
18:Off-the-shelf software
357:"2.000 Scope of part"
334:"2.101 Definitions",
129:software supply chain
119:Security implications
107:Software and services
93:software development
270:Commercial software
570:us.playstation.com
387:2020-07-31 at the
380:McKinney, Dorothy
232:creeping featurism
545:medicaldesign.com
224:replacement parts
204:replacement units
123:According to the
16:(Redirected from
678:
636:
622:
616:
607:
601:
587:
581:
580:
578:
576:
562:
556:
555:
553:
551:
537:
531:
530:
528:
526:
517:
509:
503:
502:
500:
499:
484:
478:
477:
475:
474:
469:
460:
454:
453:
451:
450:
439:
433:
432:
430:
429:
420:. Archived from
409:
400:
393:Presentation to
378:
372:
371:
369:
368:
353:
347:
346:
345:
344:
331:
21:
686:
685:
681:
680:
679:
677:
676:
675:
656:
655:
654:
645:
640:
639:
633:Wayback Machine
623:
619:
608:
604:
598:Wayback Machine
588:
584:
574:
572:
564:
563:
559:
549:
547:
539:
538:
534:
524:
522:
515:
511:
510:
506:
497:
495:
486:
485:
481:
472:
470:
467:
462:
461:
457:
448:
446:
441:
440:
436:
427:
425:
411:
410:
403:
389:Wayback Machine
379:
375:
366:
364:
355:
354:
350:
342:
340:
333:
332:
328:
323:
318:
266:
189:
183:
153:
121:
109:
72:custom software
56:U.S. government
28:
23:
22:
15:
12:
11:
5:
684:
682:
674:
673:
668:
658:
657:
653:
652:
646:
644:
641:
638:
637:
617:
602:
582:
557:
532:
504:
479:
455:
434:
401:
373:
348:
325:
324:
322:
319:
317:
314:
313:
312:
307:
302:
297:
292:
287:
282:
277:
272:
265:
262:
185:Main article:
182:
179:
157:medical device
152:
149:
144:SANS Institute
120:
117:
108:
105:
78:or otherwise.
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
683:
672:
669:
667:
664:
663:
661:
651:
648:
647:
642:
634:
630:
626:
621:
618:
615:, 1 May 2003.
614:
611:
606:
603:
599:
595:
591:
586:
583:
571:
567:
561:
558:
546:
542:
536:
533:
521:
514:
508:
505:
494:
490:
483:
480:
466:
459:
456:
445:
438:
435:
424:on 2013-02-18
423:
419:
415:
408:
406:
402:
398:
396:
390:
386:
383:
377:
374:
363:on 2017-01-30
362:
358:
352:
349:
339:
338:
330:
327:
320:
315:
311:
308:
306:
303:
301:
300:Invented here
298:
296:
293:
291:
288:
286:
283:
281:
278:
276:
273:
271:
268:
267:
263:
261:
259:
254:
252:
248:
244:
240:
235:
233:
229:
228:Rube Goldberg
225:
220:
218:
214:
209:
205:
201:
198:
194:
188:
180:
178:
176:
171:
166:
162:
158:
150:
148:
145:
141:
137:
132:
130:
126:
118:
116:
112:
106:
104:
102:
98:
94:
89:
86:
83:
79:
77:
73:
68:
65:
61:
57:
52:
50:
46:
42:
38:
34:
30:
19:
620:
612:
605:
585:
573:. Retrieved
569:
560:
548:. Retrieved
544:
535:
523:. Retrieved
519:
507:
496:. Retrieved
492:
482:
471:. Retrieved
458:
447:. Retrieved
437:
426:. Retrieved
422:the original
417:
392:
376:
365:. Retrieved
361:the original
351:
341:, retrieved
336:
329:
255:
236:
230:" system of
221:
208:obsolescence
190:
181:Obsolescence
174:
154:
133:
122:
113:
110:
90:
87:
84:
80:
69:
53:
48:
40:
36:
32:
31:
29:
666:Procurement
520:www.qnx.com
217:sole-source
660:Categories
498:2012-12-17
473:2012-12-17
449:2012-12-17
428:2012-12-17
367:2018-10-02
343:2022-06-22
316:References
321:Citations
64:Microsoft
629:Archived
594:Archived
397:Chapters
385:Archived
264:See also
142:and the
49:Mil-COTS
643:Sources
575:1 April
550:1 April
525:1 April
310:Turnkey
155:In the
140:Gartner
45:bespoke
395:INCOSE
241:, the
115:time.
58:, the
516:(PDF)
468:(PDF)
258:sonar
251:FPGAs
247:ASICs
187:DMSMS
175:clear
577:2018
552:2018
527:2018
197:Sony
41:COTS
249:to
35:or
662::
592:(
568:.
543:.
518:.
491:.
416:.
404:^
391:,
635:)
627:(
600:)
579:.
554:.
529:.
501:.
476:.
452:.
431:.
370:.
39:(
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.