Marc Guardiola
Marc Guardiola CISO
31 October 2019

Don't let your software take you hostage

Companies that don’t perform software updates: they ought to be banned. Minister Grapperhaus is also done with it and wants the government to take action (dutch) against companies that do not have their internet security up to date. Various experts expressed their support to this matter, but at the same time condemned him for making this statement. Things aren’t as straight forward as the minister stated. But why isn’t it?

The fact that many companies lack an update policy isn’t fiction, it’s a fact. The National Cyber Security Centre of Minister Grapperhaus’ own Ministry of Justice and Security, has been reporting about this for years in their Cyber Security Assessment (dutch). But we also see this this happening in practice: updates and patches are outdated or not implemented at all.

This isn’t good, but it’s even worse when this situation is the result of a failing policy or even pure negligence. Every company should have reliable update policies and we ensure that, together with our customers, these policies are also consciously implemented.

But there may be other reasons for a companies’ decision not to install available updates and patches. Surprisingly software vendors are often the reason for customers not to install updates – and in all honesty, this actually should not be happening.

Forced vulnerability

There are software vendors that do not allow their software to be used on underlying middleware or operating systems beyond a certain (minor) version update. If their customers do, they won’t support the application. That sounds like something from the 90’s, but some suppliers, including sometimes big traditional names, still demand this. With that they effectively take their own customers hostage, and that behaviour should really be banned.

Why this happens is not even that straight forward or obvious. It often seems that the manufacturer simply does not have sufficient time to invest in a product. Such a product must be tested repeatedly to see if it continues to run in combination with new middleware or operating systems. We know from experience that a lot of software often works flawlessly on newer versions of the underlying middleware or operating systems – but as long as that’s not officially been tested, the supplier doesn’t want to give a green light.

That way they put their customers in a difficult position. Often, it’s crucial software in which substantial investments have been made, and which have not yet met the amortised cost of the investment. Simply replacing such software is not always possible (even though it would be sensible from a security perspective), and often customers are very reluctant to drop the support of such a party. But in the end customers continue to work with outdated versions of middleware or operating systems, which potentially has consequences not only for the security of this specific software, but also of all other software running on those systems.

What to do?

Get well informed. Prevention is always better than a cure. Companies must not just ensure that they have a decent update policy, but also check that the products they purchase from suppliers can meet that update policy – throughout the expected lifespan of that product. It often turns out too late for customers when they are stuck with a product that does not fit into their policy. Always ensure that you ask and receive guarantees about this topic, before you go into business with such a party and budget any costs for a major upgrade.

Seek help. It is always conceivable – and this happens occasionally in practice – that there are insurmountable reasons for continuing to work with such a product for a certain time. If it really can’t be updated, make sure you isolate such a product as much as possible to ensure that the security risks are limited. And start a trajectory to replace the product.

Say goodbye. If your organisation is effectively taken hostage by software that imposes unacceptable limitations on your update policy, from a security perspective you should set it aside as soon as possible. Most of the time there are alternatives available that do offer the right support.

To get a grip on cyber security, an organisation must at least ensure that all software and hardware used is running on the latest updates and patches, or that they will be installed as quickly as possible. Deliberately continuing to work with equipment and applications that are already known to contain safety holes is irresponsible. At Solvinity we help our customers to make this transition, and then by keeping them up-to-date.

It would be good if more attention was paid to software who almost force their users to pursue an unsafe policy. Suppliers should review their own policy in this area. Customers are advised to become a lot more assertive in this area. And finally, the government should also pay more attention to this underexposed problem, which, in my opinion and experience, occurs much more often than is healthy for a safe society.

Lees ook

Meer

Kunnen we je verder helpen?

Maandag t/m vrijdag van 09:00 - 19:00 uur