Interaction Partnering Criteria for COTS Components

Commercial-off-the-Shelf (COTS) software provides a choice of products to streamline enterprise applications. COTS software integration can introduce security vulnerabilities due to mismatches between security constraints coupled with inadequate knowledge of interaction requirements. Though a component can be validated against its stand-alone functional and security requirements, two aspects of the validation for its integration are missing. First, no straightforward process exists to guide the developer in identifying integration-induced security risks. Second, interaction properties contributing security risks are not part of COTS product evaluation. In the former case, a process is needed to take advantage of selection criteria. In the latter case, interaction partnering criteria- criteria indicating how closely related the security constraints of two potentially communicating components are- must be defined. We examine these issues by defining initial interaction partnering criteria and exploring there use in a security profile for COTS components. 1