COTS Software Security for Government

The COTS Mandate

Commercial off the shelf (COTS) technology enables federal agencies to reduce cost, improve effectiveness, and provide broad functional capabilities to government applications. The Clinger-Cohen Act of 1996 directed federal agencies to maximize their use of COTS, but since these applications are developed for commercial purposes, they are often vulnerable to the unique risks faced by government systems. The burden of minimizing these risks has been placed largely on the government agency

The COTS Security Paradigm

Government agencies face an uphill battle in controlling security risks across their organizations. The increased importance of third-party software and service providers, the interconnectivity of software systems, as well as the proliferation of Web services and Service Oriented Architecture (SOA) have led to an increased use of COTS applications. At the same time, quantifying the risk of purchased software has presented its own challenges. Without access to development tools or source code, government agencies have often been forced to either submit COTS to rigorous and time-consuming manual testing, develop their own applications, or leave themselves open to application vulnerabilities.

The Veracode Promise

Veracode enables government agencies to conduct security audits of COTS applications as part of an agency’s formal software acceptance process, without the need for source code or costly on-site consultants. Veracode inspects the application at the same level that it is attacked – the binaries. By assessing the final application code, Veracode ensures that all threats, including vulnerabilities and malicious code are detected, thereby providing the most complete security audit across the extended supply chain.