Domain 8 of 8 · Chapter 4 of 5

Acquired Software Security

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • The acquisition channels and the one rule that spans them
  • Assessing each channel: attestation, SCA, contracts, shared responsibility
  • Exam-pattern recognition

Assessing the four acquired-software channels

Assessment axisCOTS (closed)Open sourceThird-party / custom-contractManaged / cloud (SaaS·PaaS·IaaS)
Source-code visibilityNone: binary onlyFull: you can read itOften deliverable / escrow-ableNone: service abstracted
Primary assurance methodVendor attestation, EULA, scan the binarySCA, SBOM, code/dep reviewContract terms + security acceptance testingSOC 2 / ISO 27001 + right-to-audit
Who owns the residual riskYou (vendor disclaims most liability)You (no vendor, no warranty)You; supplier bound by contract SLAsShared per service model; data/IAM always yours
Your leverage over the supplierLow: take-it-or-leave-it EULANone: no supplier to bindHigh: negotiated before signingModerate: contract + SLAs, not config access
Signature exam trapAssuming the vendor's patching is your problem solvedTreating 'open source' as 'risk-free' or licence-freeOmitting security from the statement of workBelieving the provider secures your data and access

Decision tree

Can you read the source code? Yes (open source) SCA + SBOM, review the licence No An operated cloud service? Yes (SaaS/PaaS/IaaS) Shared responsibility + SOC 2, right-to-audit No Built for you under contract? Yes Security in the contract: SLAs + escrow No (closed COTS) Vendor attestation + EULA, scan the binary Always: you keep the residual risk and still own data, identity, and access

Cheat sheet

  • Acquiring software obtains a capability but never transfers the risk
  • The four acquired-software channels differ by visibility and leverage
  • Match the assessment technique to how much of the software you can see
  • For closed COTS, govern the vendor and still scan the binary yourself
  • A COTS support lifecycle is a security fact, not a procurement detail
  • Open source transfers no liability: there is no vendor and usually no warranty
  • Review the open-source licence before you distribute, not after
  • Transitive dependencies hide most open-source risk, so use SCA
  • An SBOM of what you consume makes "are we affected?" answerable fast
  • For custom-contract software, spend your leverage in the agreement
  • Source-code escrow protects you if a software supplier fails
  • The responsibility boundary slides from IaaS to PaaS to SaaS
  • Data classification, identity, and access stay the customer's in every cloud model
  • For a cloud provider you cannot configure, rely on attestation plus contract
  • Acquired-software assessment and supply-chain risk are different altitudes

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. NIST SP 800-218: Secure Software Development Framework (SSDF) Version 1.1 Whitepaper
  2. NIST SP 800-161 Rev. 1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations Whitepaper
  3. NIST SP 800-145: The NIST Definition of Cloud Computing Whitepaper