Issue No. 06 - June (1998 vol. 31)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/2.683009
Combining Internet connectivity and COTS-based systems results in increased threats from both external and internal sources. Traditionally, security design has been a matter of risk avoidance. Now more and more members of the security community realize the impracticality and insufficiency of this doctrine. It turns out that strict development procedures can only reduce the number of flaws in a complex system, not eliminate every single one. Vulnerabilities may also be introduced by changes in the system environment or the way the system operates. Therefore, both developers and system owners must anticipate security problems and have a strategy for dealing with them. This is particularly important with COTS-based systems, because system owners have no control over the development of the components. The authors present a taxonomy of potential problem areas. It can be used to aid the analysis of security risks when using systems that to some extent contain COTS components.
E. Jonsson and U. Lindqvist, "A Map of Security Risks Associated with Using COTS," in Computer, vol. 31, no. , pp. 60-66, 1998.