Who let the bugs out?
In the last post we looked at monitoring your instance for suspicious activity. This post focuses on software patching and updates, and their role in maintaining security. This topic is often ignored, but the fact is that many real-world breaches could have been avoided if available patches had been applied more promptly. For example, the high-profile Equifax breach in 2017 that exposed the personal data of 143 million people, exploited a known vulnerability for which a patch had been available for about 2 months.
Software is one of the ultimate tools of human ingenuity and allows us to create almost limitless functionality and capabilities. Software systems and applications can be very complex and could be made up of millions of lines of code. Because of this sheer scale and complexity, software inevitably contains flaws - or bugs - which may result in functional errors, performance issues, or security weaknesses (vulnerabilities).
As an analogy you can think of these bugs like a known manufacturing fault with a lock or window – if they aren’t fixed, the bad guys will eventually find out and exploit the weakness to their advantage.
This is why software vendors release patches to address specific code issues. Sometimes, several fixes are 'rolled-up' together and released at the same time. Of course, software is often updated for other reasons, e.g. to add significant new features or a change of appearance; major updates often include multiple patches.
You can usually find out more about what has changed and why by checking the Release Notes.
Call in the exterminators
- Patch quickly - ServiceNow releases patches and updates through the Patching Program. Security patches are important and should obviously be installed as soon as possible. Customers are notified by email of the time window when the patches are due to be installed. Patches are applied to backup instances around 2 weeks before production. Instances remain online while patches are installed.
- Update regularly - Version updates are released roughly twice a year, e.g. New York, Orlando. Customers can schedule updates themselves through Instance Management in the Now Support (HI) Portal. We advise that you plan carefully and perform updates and testing on backup instances before updating the Production environment.
- Keep current - ServiceNow operates an N-1 support policy. Please ensure that major version upgrades are applied at least annually to maintain support.
Stamp them out
It is the customer's responsibility to make sure their instance is running the current (or previous) release, along with the latest patches. Unfortunately, patching is often perceived as an inconvenience, and may be overlooked in less mature organizations.
ServiceNow's patching program is designed to make this process easy, and updates can be installed at a time that suits you, within the specified window. Keeping software current helps to maintain security, and to ensure we can continue to support you effectively.
In the next post…
We’ve discussed why it’s important to keep your software up to date, and how we help make it easier for you. In the next post we'll look at some tools available to help you asses and maintain the security posture of your ServiceNow instance…
