Control 2.2: Ensure Software Is Supported by Vendor

Ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.

Category

Procedural

Purpose

The phrase vendor supported software means that a program or application being used for enterprise business is a product currently offered and available for purchase from the developer. Furthermore, a supported application is still generally under development, which means that software and security updates are regularly made available and distributed to customers. If an organization is using unsupported software, any computer system running that software will most likely be vulnerable to attack.

Software that is out of date often contains vulnerabilities and other software bugs that can be used by an attacker to gain a foothold within an enterprise network. The longer software goes without receiving an update, the more likely it is to have significant security problems. Therefore, triaging the number of bugs and their severity is key. Allowing unpatched and old software within an enterprise is one of the most dangerous practices possible from a security perspective.

Automation

This Sub-Control is not automatable. No automated method exists for a computer system to identify if software purchased from a vendor is currently supported.

Guidance and Tools

The primary thing that can be done is to understand the support structure from the developer for any software application before it is purchased and installed. This may involve researching alternative products and the reviews available online. Useful items to investigate before the software is purchased include:

  • Length of pledged support – Support may be provided for 5 years, whereas others may only be supported for 6 months. This is one of the most critical factors.
  • Cost of support – Many products will receive updates for free, yet others may charge for updates.
  • Who will provide support – The original developer or some other developer may support the application.
  • Support history – Pledges of support are often made, but sometimes not kept.