FAQ on Software Inventory

1 What is software inventory?

Software inventory refers to keeping track of all software applications and operating systems installed on devices within a network.

2. Why is software inventory important for organizations?

Maintaining an accurate software inventory is essential for any organization. Without proper monitoring and control, unauthorized software and unmanaged devices can pose potential security risks for networks and sensitive data. Knowing which software applications and operating systems are being used can help organizations identify potential vulnerabilities and develop appropriate defense strategies.

3. How can organizations maintain an accurate software inventory?

Organizations can maintain an accurate software inventory by conducting a detailed inventory, implementing controls for unmanaged software, taking continuous inventory, establishing access controls, securing service accounts, maintaining audit logs, and conducting risk assessments.

4. What are the risks of not maintaining an accurate software inventory?

The risks of not maintaining an accurate software inventory include unauthorized software and potential security breaches, difficulty in incident response planning, and non-compliance with regulatory requirements.

5. What are the best practices for software inventory?

The best practices for software inventory include conducting a detailed inventory, implementing controls for unmanaged software, taking continuous inventory, establishing access controls, securing service accounts, maintaining audit logs, and conducting risk assessments.

6. How often should organizations conduct a software inventory?

Organizations should conduct a software inventory regularly (at least monthly) to ensure that all new software and changes to existing software are recorded and tracked.

 

*This article was written with the help of AI tools and Grammarly.

Software Inventory

Background on Software Inventory and CIS CSC Version 8 Safeguards

Software inventory refers to keeping track of all software applications and operating systems installed on devices within a network. This process is crucial for ensuring all systems are updated and secure against potential security risks.

To help organizations maintain accurate inventories of software assets, the Center for Internet Security (CIS) has developed the Critical Security Controls (CSC) Version 8, which includes specific safeguards for software inventory.

These safeguards are designed to help organizations implement effective procedures for creating and maintaining an accurate inventory of all software assets. By following these best practices and safeguards, organizations can reduce their risk of security incidents and potential security breaches.

Why Software Inventory is Essential

Maintaining an accurate software inventory is essential for any organization. Without proper monitoring and control, unauthorized software and unmanaged devices can pose potential security risks for networks and sensitive data. Knowing which software applications and operating systems are being used can help organizations identify potential vulnerabilities and develop appropriate defense strategies.

A detailed inventory can also assist in incident response planning and audits. In the event of a security breach or threat, a comprehensive software inventory can provide a better understanding of the potential impact and how to mitigate it. Furthermore, audits require accurate documentation of assets, including software applications and versions, as this information is critical for compliance and risk management purposes. Overall, investing in a software inventory constitutes an essential aspect of cyber hygiene, serving as a foundational piece for defending against potential security threats.

In sum, maintaining an accurate inventory of software and hardware assets is critical for organizations. It can help reduce the risk of unauthorized software and potential security breaches, support incident response planning, and aid compliance and risk management efforts. By following industry-standard best practices, such as the CIS Critical Security Controls Version 8, organizations can ensure that software inventory procedures are implemented effectively and continuously monitored through ongoing assessment and continuous monitoring.

Best Practices for Software Inventory

Keeping an accurate and up-to-date software inventory is one of the most important steps to protect your organization from security breaches and cyber threats. The following are best practices for software inventory based on CIS CSC version 8 and industry-standard safeguards:

1. Conduct a detailed inventory: Identify all your software applications, versions, and supporting systems. This information should be organized in a way that is easy to access and understand and can be updated regularly.

2. Implement controls for unmanaged software: Unauthorized software poses a significant risk to your organization’s security. Ensure you have controls to prevent employees from installing unapproved software without your knowledge.

3. Take continuous inventory: Your software inventory should be ongoing. Regular checks ensure that all new software and changes to your existing software are recorded and tracked.

4. Establish access controls: Make sure that software applications are accessible only to individuals with a business need. This will help you minimize risks associated with uncontrolled access to software.

5. Secure service accounts: Service accounts have elevated privileges and access to your organization’s assets. Ensuring these accounts are managed and controlled to minimize potential risks is essential.

6. Maintain audit logs: Enable audit trails to track changes to your software inventory. Audit logs should be stored securely and only accessible to authorized personnel.

7. Conduct risk assessments: Regular risk assessments can help you identify vulnerabilities in your software inventory. This information can then be used to minimize risks and strengthen your security posture.

By following these best practices, you can ensure that you keep your software inventory up-to-date and secure. It is essential in preventing cyber threats and protecting your organization’s assets.

Software Inventory Sample Policy

Software inventory is a critical aspect of an organization’s security posture. It helps identify potential vulnerabilities and reduce an organization’s attack surface. This policy is designed to help organizations maintain an accurate software inventory and comply with the CIS Critical Security Controls.

1. Purpose

This policy aims to ensure that all software applications are identified, tracked, and continuously monitored to minimize the risk of unauthorized software and potential security incidents.

2. Scope

This policy applies to all software applications used within the organization and all individuals with access to these applications.

3. Policy

3.1 Software Inventory

An accurate inventory of all software applications and their versions must be maintained by the organization. This inventory must be updated regularly to reflect any changes to the software used by the organization.

3.2 Controls for Unmanaged Software

The installation of unapproved software on organization-owned devices is strictly prohibited. An approval process must be established to ensure that all software applications the organization uses are appropriately vetted, tested, and approved by authorized personnel.

3.3 Continuous Inventory

The software inventory must be continuously monitored to ensure new applications are promptly identified and logged. This process must include a review of access controls to minimize potential risks associated with unauthorized devices and software applications.

3.4 Access Controls

Access to software applications must be restricted to individuals who require the software to perform their job functions. Users must be adequately identified and authorized before granting access to any software application based on their job responsibilities.

3.5 Secure Service Accounts

Service accounts must be carefully monitored and controlled to minimize the risk of unauthorized access to organizational assets. Passwords for service accounts must be complex and changed regularly to maintain the account’s security.

3.6 Audit Logs

Audit logs must be implemented to track changes to the software inventory. These logs must be stored securely and accessible only to authorized personnel.

3.7 Risk Assessments

Regular risk assessments must be conducted to identify potential vulnerabilities in the software inventory. The results of these assessments must be used to develop appropriate controls to minimize risk.

4. Enforcement

Failure to comply with this policy could result in disciplinary action, including termination of employment.

5. Review

This policy will be reviewed and updated annually to ensure compliance with industry best practices and changing security requirements. Any changes to the policy must be approved by the organization’s security team.

Software Inventory Sample Procedures

Software Inventory Sample Procedures:

I. Identify and Classify Software:

a. Review organizational assets and identify software applications that are in use.

b. Classify software applications based on their level of security risk.

c. Assign each software application a unique identifier code.

II. Create a Software Inventory Database:

a. Develop a database to store the information gathered in step I.

b. The database must include the software application’s name, version, unique identifier code, and level of security risk.

c. Ensure access controls are in place for the database.

III. Create a Review Schedule:

a. Establish a schedule for continuously monitoring the software inventory.

b. Include a review of access controls during the review schedule.

IV. Perform Regular Audits:

a. Perform software inventory audits regularly.

b. Ensure unauthorized software is removed or approved according to the organization’s procedures.

V. Assess Risk:

a. Regularly assess risks associated with software in the inventory.

b. Identify potential vulnerabilities and determine appropriate controls.

VI. Implement Security Controls for Software:

a. Based on the risk assessment, implement security controls for the software in the inventory.

b. Monitor these controls regularly to ensure effectiveness.

VII. Document Changes and Updates:

a. Document all changes and updates to the software inventory database.

b. Assign a tracking number to the change or update.

c. Ensure that documentation is accessible only to authorized personnel.

VIII. Establish an Incident Response Plan:

a. Develop an incident response plan for potential security incidents.

b. Ensure the incident response plan includes software inventory control and management procedures.

IX. Conduct Regular Training:

a. Provide regular training to employees on the importance of software inventory management.

b. Ensure employees are aware of the organization’s policies and procedures related to software inventory control.

X. Continuously Monitor:

a. Continuously monitor the software inventory to ensure it is accurate and up-to-date.

b. Implement a system for reporting and tracking anomalies or changes found during monitoring.

By following these procedures, your organization will be able to comply with the CIS Critical Security Controls and industry-standard best practices for software inventory management. Regular review and monitoring of the inventory will reduce the risk of unauthorized software installations and potential security incidents.

 

*This article was written with the help of AI tools and Grammarly.

3 Tough Questions with Bill Sempf

Recently, I caught up over email with Bill Sempf. He had some interesting thoughts on software security, so we decided to do a 3 Tough Questions with him. Check this out! :

 

A short biography of Bill Sempf: In 1992, Bill Sempf was working as a systems administrator for The Ohio State University, and formalized his career-long association with inter-networking. While working for one of the first ISPs in Columbus in 1995, he built the second major web-based shopping center, Americash Mall, using Cold Fusion and Oracle. Bill’s focus started to turn to security around the turn of the century. Internet driven viruses were becoming the norm by this time, and applications were susceptible to attack like never before. In 2003, Bill wrote the security and deployment chapters of the often-referenced Professional ASP.NET Web Services for Wrox, and began his career in pen testing and threat modeling with a web services analysis for the State of Ohio. Currently, Bill is working as a security-minded software architect specializing in the Microsoft space. He has recently designed a global architecture for a telecommunications web portal, modeled threats for a global travel provider, and provided identity policy and governance for the State of Ohio. Additionally, he is actively publishing, with the latest being Windows 8 Application Development with HTML5 for Dummies.

 

Question #1: Infosec folks have been talking about securing the SDLC for almost a decade, if that is truly the solution, why haven’t we gotten it done yet?

For the same reason that there are still bugs in software – the time and money necessary to fix things. Software development is hard, and it takes a long time and lots of money to write secure software. Building security in to the lifecycle, rather than just waiting and adding it to the test phase, is just prohibitively expensive.

That said, some companies have successfully done it. Take Microsoft for instance. For a significant portion of their history, Microsoft was the butt of nearly every joke in the security industry. Then they created and implemented the MSDL and now Microsoft products don’t even show up on the top 10 lists anymore. It is possible and it should be done. It’s just very expensive, and companies would rather take on the risk than spend the money up front.

Question #2: How can infosec professionals learn to better communicate with developers? How can we explain how critical things like SQL injections, XSS and CSRF have become in a way that makes developers want to engage?

There are two fronts to this war: the social and the technical. I think both have to be implemented in good measure to extract any success.

On the social side, infosec pros need to get out of the lab, and start talking at developer conferences. I have been doing this as a good measure since 2010, and have encouraged other community members to do the same. It is starting to work. This year at CodeMash, Rob Gillen and myself gave a day long training on everything from malware analysis to Wi-Fi to data protection. The talk was so popular that we needed to be moved into a bigger room. Security is starting to creep into the developers scope of vision.

Technically, though, security flaws need to be treated just like any other defect. The application security test team needs to be part of QA, treated just like anyone else in QA, given access to the defect tracking system, and post defects against the system as part of the QA process. Until something like the Microsoft SDL is implemented in an organization, integrating security testing with QA is the next best thing.

Question #3: What do you think happens in the future as technology dependencies and complexities ramp up? How will every day life be impacted by information security and poor development/implementations?

More and more applications and devices are using a loosely connected model to support fast UIs and easy functional development. This means more and more business functionality exposed in the form of SOAP and REST services. These endpoints are often formerly internal services that were used to provide the web server with functionality, but are gradually being exposed in order to support mobile applications. Rarely are they fully tested. In the short term future, this is going to be the most significant challenge to application security. In the long term, I have no idea. Things change so fast, it is nearly impossible to keep up.

 

Thanks to Bill for sharing his insights. You can discuss them with him on Twitter, where he is @sempf. As always, thanks for reading!