Most IT infrastructures in a practical deployment environment include multiple Commercial-Off-The-Shelf (COTS) software components. Many of these components are legacy software, whose source code may be unavailable, and often the company or person who developed these software components may not be available or reachable. Many other software components may have become stale in their versions, and their originating (source) company may no longer support the outdated software release.
Several other software components may have been internally developed, but at the time of development, software security was relatively unimportant and proper attention to code security defects may not have been given. Moreover, the developers and testers involved in such software development projects may no longer be with the enterprise. Few other software components are unrelated to technological applications, for example, they may be used in payroll, marketing, or other domains where the everyday users simply are unware or and unwilling to spend the added effort to accommodate security defect mitigation techniques.
As a result, the software ensemble, as a whole, is subject to growing number of security vulnerabilities and risk exposure. The top level stakeholders of the enterprise using the software ensemble is responsible, civilly and sometimes criminally, for a breach in any one of these COTS software components. However, as the COTS software component's security risks are unknown, it is a problem to estimate security risk at each COTS software component level, and then to scale up the estimation process from one component to multiple different COTS software components.