Commercial Off-the-Shelf (COTS) Products

Commercial off-the-shelf products, or COTS, are services available for purchase on the open market. COTS software can often be configured or customized after you purchase it, making it vulnerable to security issues.  These products are required to go through the City’s security process, though the required steps depend on the product type. To learn more about the security steps listed below, go to the Security section.

If you have specific questions about COTS, email NYC Cyber Command – Software Security Assistance (SSAP).

Out-of-the-Box COTS

The software is immediately usable out-of-the-box or can be set up easily (for example, by a member of your team who is not an IT specialist).

Required Security Steps
Project scoping document
Web vulnerability Scan

Optional security steps
AppSec Platform


Configurable COTS

Changes to the software can be made using tools already built into the product. These changes remain functional after product updates. An example of a configurable COTS is Microsoft Dynamics CRM.

Required Security Steps
Project scoping document
Web vulnerability Scan

Optional security steps
AppSec Platform


Customizable COTS

Changes to the software can be made using tools already built into the product, but may not remain functional after product updates. You can make other changes to the product by changing the source code, but, in addition to potentially not being functional after product updates, these changes can be costly to maintain.

Required Security Steps
Project scoping document
AppSec Platform
Web vulnerability Scan