How many software bugs are too many? In the process of coding software, the unavoidable will happen: the code contains bugs. Luckily not all bugs are problematic. The top 50 vendors have an average of 48 vulnerabilities in each product. Most of the time this will only impact or limit the way the application should work. However, in some occasions a vulnerability can be exploited. This is a problem that should not be underestimated.

We can reduce the probability an attacker will compromise an endpoint with an exploit by patching the software. To do this, we must keep track of all software so only authorized software is installed and running. Automated software tools are often a part of an automated hardware inventory discovery tool like SCCM, JAMF and Ivanti IT Asset Management.

There are a few important things to keep in mind while handling software.

List approved software

You should maintain an up-to-date list with approved software. Knowing which software is installed and running give us something to work with. Also, make sure end-of-life (EOL) or end-of-support (EOS) software is tagged as unsupported. These kinds of software often don’t receive security updates anymore and become an easy target for hackers.

Software inventory

Can you remember the old days where we install and update software with a compact disc? I certainly do. We made copies of the master disc and could update an entire department in one run! Keeping track of installed software including the version number was almost impossible in the old days. Today we have automated software inventory which registers when software is installed, which version, from which vendor and assigns it to the specific asset while we’re at it.

Mitigate the risks

Now we know what’s approved and what runs in the company, it is time to address everything that is not approved. This could be software that is installed by an end user with Local Administrator privileges. Rogue applications can be a huge security risk because there is no way we can guarantee it’s using the latest version with all bugs and vulnerabilities fixes. Freeware often comes with Potentially Unwanted Programs (PUP) like toolbars and web players or worse. If you cannot remove the application, put it on the approved software list. There should be no grey area. High risk software that might be EOL and no longer receive security updates should be isolated from the network ASAP.

Application Whitelisting

Reading this might already give you goosebumps, but application whitelisting is the way to go. This often sounds like a intensive job, but remember we already (should) have the inventory of approved software. By enforcing application whitelisting we’re only making sure no risky software is running or installed. This should not be limited to Portable Executables (PE). Powershell, python and macro scripts must be digitally signed with your code signing-certificate and be put on the whitelist. Running unsigned scripts is of an equal risk of software and should be prevented.

Microsoft introduced AppLocker in Windows 10 and its server equivalent which gives you control which software and files users can run including scripts and Dynamic-Link Libraries (DLL). There are many other commercial solutions like Ivanti Workspace Control with similar controls.

Back To You

So, there is no reason not to do this properly. Software vulnerabilities are one of our biggest risks that can be mitigated. It might be a tough job if there is no visibility right now, but it will be worth your while getting this right. Tools are in place – are you ready?

Sven Mik
Author

What drives me the most is helping companies and individuals to the next step in their cyber security maturity level. This drive, my technical knowledge and my passion for cyber security is why customers often see me as a trusted advisor.