Acquired Software Security
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.
Included in this chapter:
- The acquisition channels and the one rule that spans them
- Assessing each channel: attestation, SCA, contracts, shared responsibility
- Exam-pattern recognition
Assessing the four acquired-software channels
| Assessment axis | COTS (closed) | Open source | Third-party / custom-contract | Managed / cloud (SaaS·PaaS·IaaS) |
|---|---|---|---|---|
| Source-code visibility | None: binary only | Full: you can read it | Often deliverable / escrow-able | None: service abstracted |
| Primary assurance method | Vendor attestation, EULA, scan the binary | SCA, SBOM, code/dep review | Contract terms + security acceptance testing | SOC 2 / ISO 27001 + right-to-audit |
| Who owns the residual risk | You (vendor disclaims most liability) | You (no vendor, no warranty) | You; supplier bound by contract SLAs | Shared per service model; data/IAM always yours |
| Your leverage over the supplier | Low: take-it-or-leave-it EULA | None: no supplier to bind | High: negotiated before signing | Moderate: contract + SLAs, not config access |
| Signature exam trap | Assuming the vendor's patching is your problem solved | Treating 'open source' as 'risk-free' or licence-free | Omitting security from the statement of work | Believing the provider secures your data and access |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.