4 cybersecurity insights to consider while waiting for your next software update

The recent global IT outage caused by a faulty software update is a stark reminder of the significance of software updates in today's integrated world. As our society increasingly relies on IT systems to function, a proactive approach in ensuring their safety has become more critical than ever.

The maintenance of software underlying these systems plays a key role in this effort. An important component of software maintenance are updates, which are the means by which functionality and security are improved. While updates can enhance security by addressing existing vulnerabilities in the software, they can also introduce new ones. This potential risk underscores the need to better understand the delicate balance between maintaining system security and ensuring operational stability.

In a recent study, we explored how the trends in software updates are related to the trends in software vulnerabilities. We collected and analyzed data from the National Vulnerability Database (NVD) over a period of five years (2018-2022) to understand this phenomenon. These were the insights that emerged:

One would expect that an increase in the frequency of reported vulnerabilities correlates with a corresponding rise in software updates and vice versa. However, we find no significant evidence to support this hypothesis. This indicates that the balance between updates and vulnerabilities is more complex; rather than a simple cause-and-effect relationship, the interplay between updates and vulnerabilities is likely influenced by a variety of other factors.

A software vulnerability severity score quantifies the impact and urgency of addressing security-related issues in both applications (apps) and operating systems (OS). Our analysis reveals that the average severity score of vulnerabilities across apps and OS is declining. The decrease indicates that vulnerabilities are becoming less severe on average. Interestingly, a closer inspection of the data reveals this is primarily driven by reduced security issues in apps. On the other hand, the average security score comprising only of the OS component has not declined over the years and is stagnant at a point that is considered high by industry standards.

Our research underscores the importance for IT professionals to consider not only the frequency of software updates, but also a range of other factors that influence the relationship between these updates and potential vulnerabilities. Key considerations include the degree to which security is entwined into the software development process. Software for which security has been incorporated at every step of the process minimizes vulnerabilities more effectively compared to when security comes as an afterthought.

Another important factor to consider is the nature of updates: whether they are minor, addressing routine bugs; or major, introducing significant new features that could also introduce new vulnerabilities. Furthermore, the complexity of the software is another crucial factor. Modular software allows updates to be deployed in isolation, minimizing risk, while highly integrated systems often require more extensive testing, making updates more challenging to implement effectively.

Moreover, the responsiveness of developers in addressing vulnerabilities is vital – whether patches are issued promptly after a vulnerability is discovered, or whether delays occur, leaving the software exposed to potential threats. Interestingly, the number of vulnerabilities over time also exhibit seasonality, which is likely driven by software-release schedules that adhere to a seasonal cadence. As shown below, the quarterly number of vulnerabilities consistently increases from the first to the second quarter, and peaks in either the second or third quarter. Professionals should account for this seasonality in their vulnerability management practices by paying attention to reported vulnerabilities in these periods.

The lag in security improvements for operating systems compared to app software raises the question of whether OS vendors can adopt practices from the app development world to enhance their security. At the very least, it underscores the need for more secure coding efforts by OS vendors, as this could help prevent severe vulnerabilities from emerging.

However, vulnerabilities may still arise despite robust and secure coding practices. One of the key reasons why vulnerabilities in OS tend to have high severity scores is because of the large impact they can have on IT systems. Thus, to reduce the average severity scores, vendors must find better ways to mitigate the impact vulnerabilities can have. One way to do this is by compartmentalizing the development of OS, ensuring that a vulnerability in one part of the system does not compromise other parts. While OS vendors are primarily responsible for improving security, end users also play an important role. In particular, they must remain vigilant by closely monitoring, reporting and promptly patching any vulnerabilities in their systems.

In an era where technology is central to business operations, ensuring security through software updating and proactive vulnerability management must remain a top priority for organizations. By learning from trends and integrating secure development practices, businesses can better mitigate risks and safeguard their systems.