Managing software security updates

Software design and security patches go hand in hand, thanks to typical vendor-developed code that disregards secure design. In effect, that code invites hackers to "come on in!" Human nature normally lags behind the rapid pace of information technology, and programming technique is no exception. Only recently have programming curriculums begun to offer courses that focus on developing "tight" code that keeps out even a moderately capable intruder.

Still, a small number of the same old software vulnerabilities are responsible for the majority of successful attacks today. Hackers use the easiest attacks because tools to exploit the best known security flaws are readily available on the Internet, and they're successful because many organizations leave the most common flaws open to attack. It's not blind luck that these common vulnerabilities are discovered; hackers actively scan the Internet searching for easy marks. Will they get lucky and find your exposed networks, or will you get lucky and not be noticed ... today?

Managing the patchwork mess

Yep, identifying vulnerabilities, finding the correct software patches, downloading the code, installing the security update in the right sequence (assuming you've selected the correct fix for your application version) and validating effective installation is quite a process. And keep in mind this needs to be done before hackers send notice to your firm in their own special ways.

So you've got to create a system to manage security updates and patches for your software. This includes operating systems, business applications, Internet access and even security applications. While creating a security update system is daunting, once you've got one, your firm should be able to keep on top of the security maintenance challenge.

Surprisingly few steps can help you update and protect your systems against common exploits. Since small businesses don't have the myriad of software and network configurations that large corporations do, your firm should be able to keep track of security updates if you're systematic.

Begin by identifying and listing your software by type (e.g. operating, application, security), vendor, version, installation date, and installer. Every time you make a change on a software product, note the name of the update, patch, or fix installed, the functional description (what the code updates, adds, or modifies), where the code was obtained, the date it was downloaded, the date installed, and the name of the installer.

Retain your security update downloads in their own directory. Create a "readme" file to document the downloads' name, description, and date of storage.

Don't delude yourself -- even if you have no resources for a dedicated security staff, a security updating and patch documentation system is mandatory. If your firm outsources security or software updates, you should expect the vendor to send you its patch logs at your request. If the firm resists your request, or you experience slow or no delivery, that's a danger sign.

Security alert and patch resources

How do you know what patches you need to apply? The SANS Institute proposes "Ten Most Critical Internet Security Threats." Microsoft's TechNet site focuses on security updates and issues for its products. CERT also supplies a host of information to improve your security, as does ZDNet's Security IT Resource Center.

Don't try to review all sites for possible security alerts that might impact your firm. Pay primary attention to your firm's Internet and network protection needs. Save links to your vendors' sites to identify and download updates and patches relevant to your configuration. While this approach is no guarantee of perfection (if you find security guarantees, look out!), it will start your firm towards systematic security upgrading on a preemptive basis.

Although your firm will be more secure by taking this approach, you may have other vulnerabilities that are not addressed by your current software configuration. Vulnerability analysis, normally done by outside consultants, can uncover security requirements that your current applications may not be designed to handle.

What if you've done everything properly and you still get hacked? Take consolation in knowing that the only successful hacks into your network were intrusions where patches weren't available. When you can say that, your system is working.

Dr. Goslar is principal analyst and founder of E-PHD, LLC, a security industry research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.