Nerd For Tech
Published in

Nerd For Tech

Software updates really are easy — for most of us most of the time

the four weekly themes of national Cybersecurity Awareness Month (CSAM), the one that aligns the most with the overall slogan “It’s easy to stay safe online” is last week’s “Software Updates.”

Updates really are easy — for most of us most of the time. More on that caveat later.

But for individual users of applications and operating systems, you could think of updates like a product recall without the hassle. We’re all familiar with vehicle recalls: The manufacturer sends out a notice to everybody who owns one of the models with the flaw. The dealers will fix it for free, but you have to make an appointment, take it in, and then wait hours or even days for it to get fixed.

Very inconvenient. But, of course, you do it. You don’t want your brakes to fail, your airbag to explode in your face while you’re doing 65 mph on the highway, or the water pump to fail when you’re three hours from home.

You do it because both your convenience and safety are at stake.

You should do that with your software product recalls as well, although they’re called updates or patches. Your online safety is at stake, which could affect your life as much as a car accident.

And most of the time installing them is ridiculously easy — you get a notice on your device from one of your apps telling you an update is available that usually provides “bug fixes, increased stability, and performance improvements.” Tap the icon, the update installs, and that’s it. No appointment needed, nowhere to go, and the wait is usually seconds to minutes unless it’s a major operating system update.

But apparently not all of us are doing it very consistently, hence the theme for week three of CSAM, now in its 19th year and operated and overseen by the National Cyber Security Alliance and the federal Cybersecurity and Infrastructure Security Agency.

The need for patches and updates should be obvious — software is never perfect, and one of the most common ways malicious hackers breach organizations or the personal devices of individuals is by exploiting those imperfections.

A cat-and-mouse game

That makes online safety an ongoing cat-and-mouse game. Software product vendors try to make patches/updates available to fix vulnerabilities as quickly as possible after they’re discovered. Hackers try to exploit those vulnerabilities before an update is available, or before users install it.

So the first piece of advice from CSAM is the most obvious. Install updates as soon as they’re available. “You can be sure the bad guys are always looking for new ways to get to your data through software, so updating your software is an easy way to stay a step ahead,” according to the CSAM website.

CSAM adds that “legitimate companies usually provide an option to update their software automatically. When there’s an update available, it gives a reminder so you can easily start the process. If you can’t automatically update it, remind yourself to check quarterly if an update is available.”

Second is to make sure the update you’re getting is from the correct source. As the CSAM puts it, “Never use a hacked, pirated, or unlicensed version of software (even if your friend gave it to you). These often contain malware and cause more problems than they solve.”

Indeed, one of the more popular attack techniques is to post “urgent” update notifications purporting to be for one of your applications that pop up when you visit a website. Don’t fall for it. Get your updates from the known website of the vendor.

For most individual users, following those recommendations will keep you about as safe as it’s possible to be online. Nothing can make you bullet-proof, but you won’t be so-called low-hanging fruit.

For organizations, it’s not that simple — technology rarely is. As Jonathan Knudsen, head of global research within the Synopsys Cybersecurity Research Center, puts it, for companies reliant on massive amounts of software to operate, “unfortunately, updating has its own risks. From an operational standpoint, the predominant mantra is ‘if it ain’t broke, don’t fix it.’ Because new versions of software sometimes have their own bugs and might introduce incompatibilities with other integrated software and systems. For corporate IT departments, updates must be vetted and tested before being deployed to all users.”

Indeed, updating can get very complicated for larger organizations. Travis Biehn, technical strategist with the Synopsys Software Integrity Group, said it can require installing an update in stages, so the IT team can “automatically execute test batteries that raise operational assurance, and then release updates to endpoints in real time.”

Reduce updates—build better software!

Knudsen said a lot of those headaches could be avoided by reducing the need for updates, which would require vendors simply to build better, more secure software products before putting them on the market.

“Updates for security fixes can be less frequent when more security vulnerabilities are found and fixed before the software is released,” he said. That’s possible when vendors use a secure software development life cycle, where security is an integral part of every phase of development, from design through implementation, testing, deployment, and maintenance.”

Another complication is that software updates may contain more dangers than those from inadvertent mistakes made by a development team. They could be corrupted by hackers.

The inevitable evolution of cyberattacks now includes hackers injecting malware into pending updates and then sitting back and letting that update spread that malware to everybody who’s trying to do the right thing — keep their software up-to-date.

The most notorious instance of that was the 2020 attack on Texas-based SolarWinds’ popular network management system called Orion. Hackers allegedly linked to Russian intelligence were able to inject malware into Orion, corrupting the update that then spread to at least 100 organizations plus multiple federal agencies including the departments of Homeland Security, State, Justice, Commerce and Treasury, plus NASA, the FAA, National Institutes of Health and National Nuclear Security Administration.

Debrup Ghosh, product manager at Synopsys, said the emergence of that threat shows the need for a service that will test updates to make sure they are “clean” before an organization installs them. “The market is begging for that,” he said.

Ensuring security across the supply chain is crucial, whether it’s software built in-house, acquired from open source, or bought from a supplier, he said. “Everything should be tested end-to-end before it can be accepted into production.”

Not so simple

Biehn said until such a service is available there are ways for organizations to test updates on their own, but they take time and labor. “These are experimental, and a little imperfect,” he said. “That’s just the nature of dealing with malicious code that is intentionally deceitful, rather than incidentally inconvenient.”

Those methods sound somewhat like testing software as it’s being built. “Static assessment looks for malicious code that looks like other malicious code seen before, heuristic static analysis looks for code that behaves similarly to other malicious code, and dynamic analysis actually runs all or parts of the update looking for behavior that is malicious,” Biehn said.

All of which can help an organization avoid the major headache of dealing with a malware infection but they are vastly more complicated than tapping an icon and waiting less than a minute for an update to install. A long way from easy.

Finally, a third complication is that not all updates are “pushed” to users of an application or other software product. Open source software components, which are in just about every codebase in use today and comprise an average of more than 75% of those codebases, are maintained by volunteer communities that find and fix bugs, but those updates are available on a so-called “pull” model. Users must keep track of those components, be aware that an update is available, and then download it from a repository.

That would be a nearly impossible task to do manually, but an automated tool called software composition analysis (SCA) can do it quickly and seamlessly for you. An SCA tool will help find open source components and flag any known vulnerabilities, letting you know when you need to update.

So while it’s not always easy for everybody, or every organization, to stay safe online, it’s worth the effort. The consequences of ignoring updates are far worse than any aggravation from installing them.

CSAM could pilfer a line from Nike. When it comes to updates, just do it.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Taylor Armerding

I’m a security advocate at the Synopsys Software Integrity Group. I write mainly about software security, data security and privacy.