Understanding the Risks of Commercial Off-the-Shelf Software (COTS)

  • Home /
  • Blog Posts /
  • Understanding the Risks of Commercial off-the-shelf software (COTS)

Published on 8 July 2017

Author: Andrew

Estimated reading time: 2 min

Commercial off-the-shelf (COTS) software can be an attractive buy in for many companies when it comes to:

  • Purchasing an already made final software solution.
  • Purchasing a solution that is tried, tested and trusted in the industry already.
  • Not wanting to get a development team in to build a bespoke solution.
  • Not wanting to manage a greenfields software development project.

    • It can seem very attractive at first to jump into a COTS solution, but there are many things to take into account that can make it a less than ideal option. This is where analysing potential software reuse risks is highly recommended and will make the difference between an overall cost saving as initially expected, compared to a failed attempt where the result ends up costing significantly more and the project runs over all checkpoints as well as completion dates.

    COTS is defined as software that can be used without modifications and organizations that adopt a COTS-based systems approach generally expect either more

    rapid or less costly system construction (David J. Carney, Edwin J. Morris, Patrick R. H. Place, 2003).

    It is therefore easy to understand that one of the most attractive initial factors would be the temptingly low price points as opposed to obviously more expensive bespoke software development of a similar product (Keith Ballurio, Betsy Scalzo, Lou Rose, 2002).

    Some possible risks in using COTS may include:

  • A vendor may stop providing support, or they may provide inadequate support for an organisation's needs.
  • No simple upgrade path between versions.
  • The product's development/maintenance may get dropped as time goes on.
  • Lack of feature request processes.
  • Lack of product enhancements for example "addons" or "plugins" to extend functionality.

    • There are many ways an organisation could take steps to reducing such risks.

  • Make sure the development schedule for the software is realistic with both organisation's timelines.
  • The expected software lifetime is within a maintainable amount of time that the vendor is able to support the usage thereof.
  • The platform is in line with overall project architecture and the wider platform it is supposed to integrate into.
  • The development team has the necessary technical skills to reuse components as required.
  • Lack of control over performance and functionality.
  • The interoperability of systems and applications (Dan Galorath, n.d.).

    • Lack of source code, or using a closed source software application can pose many additional risks, such as unknown security concerns, memory leaks or even at a stretch, dormant malware counterparts that may lie around for years until triggered at a much later date.

    Overall, COTS can provide a quick and cost effective way to meet deadlines and keep budgets to a minimum; however, it is of great importance to be able to guarantee that all efforts are put into rigorously determining if any single product or component is the correct fit for your organisation or project, or if something else would be better.

    References:

    “David J. Carney, Edwin J. Morris, Patrick R. H. Place” – “Identifying Commercial Offthe-Shelf (COTS) Product Risks: The COTS Usage Risk Evaluation” (2003) – Available from: https://resources.sei.cmu.edu/asset_files/TechnicalReport/2003_005_001_14267.pdf (Accessed on 8th July 2017)

    “Keith Ballurio, Betsy Scalzo, Lou Rose” – “Risk Reduction in COTS Software Selection with BASIS” (2002) – Available from: http://dl.acm.org/citation.cfm?id=707756 (Accessed on 8th July 2017)

    “Dan Galorath” – “Software Reuse and Commercial Off-the-Shelf Software” (n.d.) – Available from: http://www.compaid.com/caiinternet/ezine/galorath-reuse.pdf (Accessed on 8th July 2017)

    Published on 8 July 2017