Website Security and Auto-Updates

If we could only auto-update our applications when vulnerabilities are identified, then we’d surely be safe… that seems to be today’s mindset. To a certain extent, that’s true, but it’s also false.

The idea of auto-updates is not new, it’s been around for a while. It’s all the rave as of late when we talk about websites. It only makes sense, if you know that the weakest link in the chain is the end-user (whom for whatever reason is unable to update) then remove the weakest link, and remove the choice.

The Challenges of Auto Updates in Website Security

There are however a few challenges that come to mind when I think about Auto-Updates, specifically how they relate to Website Security:

  1. Does little against Unknowns
  2. Introduces an unmanageable access point
  3. Goes against best practices
  4. Requires applications to write to itself

1. Protecting Against Unknowns

My business partner recently put out a post on this very subject, Protecting Against Unknowns.

The idea of protecting against unknowns is finding a way that regardless of what the issue is, your environment is protected. It’s by no means an easy issue to tackle, how do you know what you don’t know? The reality however is that today’s security issues are often attributed to these unknowns. There is no denying that known issues are in fact targets, they get bundled into active exploit kits and get passed around the village for public consumption. Applying an update is in fact imperative to address these knowns.

So the obvious question becomes, ok, then how do you address Unknowns? And how does it relate to knowns?

Some recommendations include:

  1. Explicitly allow and block the rest (employ a white list approach)
  2. Leverage Firewalls and Intrusion Prevention Systems (IPS)
  3. Effective hardening in the place of popular hardening
  4. Look for Indicators of Compromise
2. Unmanageable Access Points

Everyday websites will give this little thought, but as you move up the chain to larger businesses and enterprises you quickly learn that having an unmanageable access point is very dangerous. This is contrary to everything that Security stands for, having one door completely open allowing any updates to be made.

3. Contradicts Best Practice Recommendations

When we talk about good website security and management, one of the things every website owner should have is a Staging and Production environment. Nothing should be occurring on Production without first going through Staging, such is the cycle that most enterprise environments employ.

We’re not even talking large enterprises, we could be talking small enterprises. Think design / development shops, or even managed host environments.

The importance of this process has been proven time and time again. A perfect example can be seen in the latest WordPress 4.0.1 security release that broke a number of websites.  The argument is, this should never have happened because it was only a point release, but it’s a classic example of what does  happen.

4. Requires Applications to Write to Itself

One key configuration recommendation we make to all businesses when configuring their website is to place special emphasis on application writability on the web server. What I mean by this is the ability for the website application to write to itself.

Small businesses and website owners rarely employ it because it can be cumbersome and time consuming, yet they all fail to realize that this small step can do wonders in helping address both Known and Unknown security issues. If they employ #3 above, then this would also be a nonissue.

The Extensibility of Today’s Web Platforms

Regardless of the challenges I describe above, I also think about the various platforms and the one achilles heel that always comes to mind, it’s extensibility. This is independent of platform, they all allow and introduce some level of flexibility and extensibility to the website owner.

In a world where applications are highly extensible, allowing users to leverage templates, themes, modules, extensions, plugins, etc.., I struggle to see an effective auto-update setup that works without stumbling into availability issues, like what the WordPress ecosystem just experienced.

It’s why we see the adoption of platforms like Tumblr, Squarespace, Wix and managed environments like

These are highly controlled environments that do two things: 1) minimize the flexibility and extensibility of a platform and 2) creates a controllable space for the enduser.