cyber web audit

Why A Well Managed Software Inventory Is Important

07 April

What needs to go in a software inventory?

One of the essential pre-requisites for a well secured environment is knowing what you must secure. When it comes to Software and application inventories, we look to the Centre for Internet Security (CIS) controls for inspiration.

CIS Control 2 (Inventory and Control of Software Assets) [1] has a series of controls that when followed lay a good foundation for managing software. The controls cover how unauthorised software will be managed and detected as well as restricting unsupported software from running on your devices.

The first thing that you need to consider is what information is important to store in a Software Inventory? In our experience, a good software inventory must contain the following information for every application at a minimum:

  • Software Name
  • Software Publisher and contact details
  • Licensing information / Renewal date
  • Versions that are permitted for use in the organisation
  • Locations/devices/groups where the software may be installed.
  • Exceptions where the software must never be installed (e.g do you really want to approve web browsers and extensions for your servers?).
  • End-Of-Support (EOS) date

What is the EOS date?

Reputable software publishers will share their EOS dates with customers as part of their Software Development Lifecycle. Broadly speaking, this is the date at which the software developer will no longer issue any further updates or fixes for the product.

It’s sometimes a bit of a struggle to find the EOS dates for some products, but helpfully there is a 3rd party website that is well maintained and reliable.  https://endoflife.date has an extensive up to date list of EOS dates and although not run by ANSecurity, we have in the past contributed information for the Palo Alto Networks products on there.

The latest release version prior to the EOS date will in most cases be the last version that is ever updated There are a few rare and notable exceptions, for example Microsoft released a patch for Windows XP to address WannaCry Ransomware in 2017, despite it being out of support[2].

[1] https://www.cisecurity.org/controls/inventory-and-control-of-software-assets

[2] https://www.theguardian.com/technology/2017/jun/14/wannacry-attacks-prompt-microsoft-to-release-updates-for-older-windows-versions


LET’S TALK ABOUT  YOUR CYBER SECURITY