8.4 Assess security impact of acquired software

Commercial-off-the-shelf (COTS)
Open source
Third-party
Managed services (Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS)

What is the best software source? The short answer is – it depends.

Commercial Off the Shelf (COTS)

The software is readily available. We buy it and install it. Hopefully, the manufacturer provides us with support.

It might be cheaper than writing our own program, if we only need a few licenses
The manufacturer can provide us with support when we need it (perhaps at a cost)
If the manufacturer has been around for a long time, the software might be reputable, or so you might think. In 2019 and 2020, hackers introduced malware into SolarWinds’ software code. SolarWinds digitally signed the code and tens of thousands of customers installed it. This resulted in malware affecting millions of devices, including many used by the United States Federal Government. People trusted SolarWinds, and so they trusted the malware-infected SolarWinds software.
We do not have access to the source code, so we don’t know how the software works or what is inside it.
The software might not do exactly what we want it to do – we might have to use multiple programs to accomplish a task, or we might have to sacrifice some features. The manufacturer might be able to customize the software at a high cost.
If we require many licenses, it might be more expensive than writing our own program.
We do not own the right to the software. If the manufacturer goes out of business, or stops supporting the software, we might have to find a new program.

Open Source

Open Source means that we can view the source code. It might also be free. Open source software is usually supported by a community.

We know what the source code contains. The community can readily evaluate the software and identify vulnerabilities, or so you might think.

In 2014, a major exploit known as Heartbleed caused security vulnerabilities across millions of websites, including Facebook, Google, and Revenue Canada. How did it work? OpenSSL – an open source SSL plugin – contained a security vulnerability. Despite being in use by millions of people for many years, nobody detected the vulnerability.
We can modify the source code as required to suit our needs.
We must verify that we download the software from a legitimate source. A hacker could take the legitimate software and introduce malware into it.
The support might be lacking. If the software is widely used, then we might be able to get some support from the community or from other communities (Stack Overflow, reddit, etc.).
If the open source program loses popularity, the community may stop supporting it.
Not every open source program is free. Some open source programs are free for non-commercial use, with advanced support for commercial purposes.

Third Party

We hire somebody to build the program for us. We might do this if we do not have the experience to build the program internally.

We can build the program to have exactly the features that we want, and we can have full control over it.
The third party that builds the program might own the source code unless we specifically put a clause in the contract saying that we do.
The third party might not provide us with a copy of the source code.
The third party has an opportunity to introduce malware into the source code.
The third party will know about the inner workings of the software. If the software is critical, then the third party will also know about our internal business processes. We do not want to outsource the development of software that is critical to our business.
If the third party goes out of business, we will not be able to make changes to the software. We will have to hire a new developer to first review the source code (if we have it) and try to understand it.

Managed Services

We rent the software from a cloud service provider. Many applications are sourced this way including Microsoft Office 365 and Salesforce. There are several models, as discussed earlier.

We can’t control or directly observe the service provider’s physical infrastructure. The best we can do is choose a service provider

That has implemented a reputable framework such as ISO 27000
That has many customers including the government.
That has been around for a long time and has a lot of experience
That spends a lot of money on security research and employs subject matter experts
That has audit tools and granular security controls

IaaS	Infrastructure as a Service A company will rent their physical infrastructure and pay per month or per hour. The customer will not deal with up front costs or hardware maintenance. The customer will see system components and will be responsible for configuring them. Examples include Amazon Web Services
SaaS	Software as a Service Software is licensed on a per hour or per month basis. The software is centrally hosted. The customer will not have to install software, manage licenses, or manage servers. Examples include Microsoft Office 365 and Salesforce
PaaS	Platform as a Service Hybrid of IaaS and SaaS Platform is licensed per hour or per month. Customer will not deal with hardware directly but is free to run any applications they want. Advantage is ability to run applications without having to build the underlying infrastructure. Example is AWS Hadoop
Public Cloud	A public cloud is available to the public. The hardware resources inside a public cloud are shared amongst all customers, which improves efficiency and reduces cost. Multiple customers may be provided access to the same physical server without realizing it (cloud software should prevent data leaks)
Private Cloud	A private cloud is built by one organization for its internal use. A large organization can use a private cloud to share resources amongst different departments.