Skip to main content


What is commercial off the shelf software?

Commercial off the shelf software (COTS) refers to any software pre-built by a third-party vendor and purchased or licensed for use by an enterprise. COTS provide powerful tools at a cost-effective price to meet your company’s needs. These pre-built applications are often seen to be of higher quality than those internally developed as their reliability is proven through use in other organizations, a competitive marketplace forces developers to increase quality while decreasing price and systems are well documented allowing for ease of maintenance.

COST and software production

In the production of your own applications, COTS cuts down development time and your time to launch. By purchasing premade libraries, frameworks and other building blocks off the shelf, your application can be launched in days or weeks opposed to months. Most applications today are built with the use of third-party software and the transition to this method of application development is only expected to continue.

Risks associated with off the shelf software

While there are many benefits to using COTS, bringing in untested 3rd party applications can leave your company open to the same threats as using any untested code. While many CIOs assume that their third-party software is safe out of the box, more often than not this is not the case. Veracode’s State of Software Security Report: Volume 2 found that 57% of third-party software failed to meet acceptable levels of security.

Vulnerabilities in third-party applications or software layers can lead to data loss, denial of service, cross-site-scripting (XSS), SQL Injection and a variety of other attacks by hackers or malicious software. It is estimated that the 3 out of every 4 companies will be targeted by web application exploits and 63% of reported data breaches were the result of a security deficiency in third-party code.

Not only do hacks and data breaches lead to a loss of time, money and reputation, but in industries such as healthcare, encroachment on the confidiential information can lead to regulatory backlash. Laws such as HIPAA place the burden on companies ensure that the information that they hold is not leaked. In the case of HIPAA compliance companies are required to defend their clients’ confidential information with a thorough security assessment and risk analysis. Despite these risks, a survey of 700 IT and security professionals found that only 14% of companies perform security reviews on every commercial application brought in house.


Protect against 3rd party applicaton vulnerabilities

The only way to ensure the safety of your third-party applications is to test them for their vulnerabilities and ensure that those vulnerabilities are remediated. Veracode’s VAST solution is the industry’s first comprehensive vendor application security compliance program that helps enterprises such as yours understand and better manage the security risks inherent in vendor supplied software.

Veracode is the only independent provider of cloud-based application intelligence and security verification service. To learn more about securing your COTS with Veracode please contact us or read more about VAST here.

Questions About Application Security?

Contact Us