Using commercial off-the-shelf (COTS) components to build large, complex systems has become the standard way that systems are designed and implemented by government and industry. Much of the literature on COTS-based systems concedes that such systems are not suitable for mission-critical applications. However, there is considerable evidence that COTS-based systems are being used in domains where significant economic damage and even loss of life are possible in the event of a major system failure or compromise. Can we ever build such systems so that the risks are commensurate with those typically taken in other areas of life and commerce?
This paper describes a risk-mitigation framework for deciding when and how COTS components can be used to build survivable systems. Successful application of the framework requires working with vendors to reduce the risks associated with using the vendors' products, and improving and making the best use of your own organization's risk-management skills.