Testing Commercial off-the-Shelf Systems

In Chapter 8 we looked at a number of ways to conduct security and resilience testing on custom-developed applications when design documentation and source code are available to the testing teams and security experts. When commercial off-the-shelf (COTS) software is used by custom-developed systems or offered as an infrastructure service, you may run into problems when you discover vulnerabilities during preproduction black box testing and penetration testing. In most cases, when problems are found with COTS systems, it’s difficult to identify what to do about them or even determine who to contact.