Can We Ever Build Survivable Systems from COTS Components?
Using commercial off-the-shelf (COTS) components to build large, complex systems has become the standard way that systems are designed and implemented by government and industry. Much of the literature on COTS-based systems concedes that such systems are not suitable for mission-critical applications. However, there is considerable evidence that COTS-based systems are being used in domains where significant economic damage and even loss-of-life are possible in the event of a major system failure or compromise. Can we ever build such systems so that the risks are commensurate with those typically taken in other areas of life and commerce?
This paper describes a risk-mitigation framework for deciding when and how COTS components can be used to build survivable systems. Successful application of the framework will require working with vendors to reduce the risks associated with using the vendors’ products, and improving and making the best use of your own organization’s risk-management skills.
KeywordsSurvivable System Capability Maturity Model Software Engineer Institute Custom Development Software Engineering Process
- 1.R. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems, pages 527–529. John Wiley & Sons, 2001.Google Scholar
- 2.V. R. Basili and B. Boehm. COTS-based systems top 10 list. IEEE Software, 34(5):91–93, May 2001.Google Scholar
- 3.L. Brownsword, P. Oberndorf, and C. Sledge. An activity framework for COTS-based systems. Crosstalk: The Journal of Defense Software Engineering, 13(9), September 2000.Google Scholar
- 4.Common Criteria Implementation Board. Common Criteria for Information Technology Security Evaluation, Version 2.1. Number CCIMB-99-031. August 1999. See: http://csrc.ncsl.nist.gov/cc/.
- 5.C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: Attacks and defenses for the vulnerability of the decade. In DARPA Information Survivability Conference and Expo (DISCEX), Hilton Head, SC, January 2000. IEEE Computer Society.Google Scholar
- 6.R. J. Ellison, D. A. Fisher, R. C. Linger, H. F. Lipson, T. A. Longstaff, and N. R. Mead. Survivable systems: An emerging discipline. In Proceedings of the 11th Canadian Information Technology Security Symposium (CITSS’99), Ottawa, Ontario, May 1999. Communications Security Establishment, Government of Canada. See: http://www.cert.org/research/ for additional papers on this topic.
- 7.J. Froscher and M. Kang. A client-server architecture supporting MLS interoperability with COTS components. In Proc. MILCOM 97, Monterey, CA, November 1997.Google Scholar
- 8.S. A. Hissam, D. Carney, and D. Plakosh. DoD Security Needs and COTS-Based Systems. SEI Monographs on the Use of Commercial Software in Government Systems. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, September 1998. See: http://www.sei.cmu.edu/cbs/papers/monographs/dod-security-needs.htm.Google Scholar
- 9.R. Kazman, M. Klein, M. Barbacci, T. Longstaff, H. F. Lipson, and S. J. Carriere. The architecture tradeoff analysis method. In Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems, Monterey, CA, August 1998. IEEE Computer Society. See: http://www.sei.cmu.edu/ata/ for additional papers on this topic.
- 10.U. Lindqvist and E. Johnson. A map of security risks associated with using COTS. IEEE Computer, pages 60–66, June 1998.Google Scholar
- 11.H. Lipson and D. Fisher. Survivability-A new technical and business perspective on security. In Proceedings of the New Security Paradigms Workshop. ACM, September 1999.Google Scholar
- 12.N. R. Mead, H. F. Lipson, and C. A. Sledge. Towards survivable COTS-based systems. Cutter IT Journal, 14(2):4–11, February 2001.Google Scholar