National Academies Press: OpenBook
« Previous: Front Matter
Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×

Workshop Introduction

The Forum on Cyber Resilience of the National Academies of Sciences, Engineering, and Medicine hosted a Workshop on Software Update at its Winter 2017 meeting on February 6, 2017, in Washington, D.C.

The workshop featured experts representing various industries, research laboratories, and government agencies. Speakers discussed experiences and challenges related to a range of issues surrounding software updates, reflecting on the historical evolution, exploring today’s tools and gaps, and considering future concerns and opportunities, especially as related to software update as a tool for improved cybersecurity and resilience. Participants identified key questions, suggested ideas, and closely examined uncertainties involved in improving software updates today and tomorrow.

The meeting was open to the public. This proceedings was created from the presenters’ slides and a full transcript of the workshop; it is intended to serve as a public record of the workshop presentations and discussions.

OPENING REMARKS

Fred B. Schneider, Ph.D., the Samuel B. Eckert Professor of Computer Science at Cornell University, member of the National Academy of Engineering, and Forum chair, opened

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×

the meeting with a brief overview of the National Academies’ Forum on Cyber Resilience. He then introduced the workshop’s topic with a metaphor: recycling. Soda used to come only in large glass bottles, but eventually cheaper, more convenient metal cans and plastic bottles were introduced. The new packagings had an unfortunate side effect: increased litter. Rebate and recycling programs, as well as laws criminalizing litter, evolved to address this problem, although, Schneider noted, “It took a while to put all the right mechanisms in place.”

Like the landscape of soda bottles littering our streets before recycling, we now live in a world that is fast accumulating the remnants of “disposable” software, Schneider said. People constantly replace their devices, and software vulnerabilities are constantly discovered and fixed. But a great deal of vulnerable software remains in use. This software is desperately in need of updates that, for a variety of reasons, it’s not getting. This software and these vulnerable systems are a new form of litter.

Software update methods allow us to “cope with the reality that there are going to be vulnerabilities,” Schneider said, by either patching or replacing vulnerable software. As software continues to proliferate and our lives become ever more dependent on it, the consequences of vulnerabilities grow. Deploying updates securely is also an increasingly complex technical challenge. No longer are updates just one aspect of a developer’s responsibilities, but they have become a central aspect of the industry.

Although not updating software is clearly problematic for security, deploying software updates also comes with risks. If an update goes wrong, the device could break or provide an opening for attackers. Any sort of centralized or automated distribution of updates becomes an attractive target for attackers. Even sending physical disks with updates through the mail, a system previously used for updating flight-control software on commercial airplanes, is not necessarily secure. Updates also, as a side effect, advertise that previous versions of the software are vulnerable to attack, even pointing attackers to specific vulnerabilities that can be exploited in non-updated devices.

Recertification of software raises other issues. After performing an update, a Naval warship might require 6 months in port to recertify all of its systems, Schneider noted. The lengthy recertification process also required for airplanes and medical devices means that automated updates (such as the regularly scheduled updates from Microsoft, known as “Patch Tuesday”) would be untenable in those situations.

Economics is also a concern, underscored by the proliferation of ever-cheaper mobile devices and the applications people buy for them. At these low price points, or “hit-and-run sales,” manufacturers may assume they are not entering into a long-term relationship with consumers. Such manufacturers might not feel obligated to provide

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×

software updates to provide the level of security that manufacturers of other types of products might provide. Users’ rights are also a factor: Deploying software updates can give manufacturers broad access to a user’s device, which raises potential privacy issues and creates antitrust minefields, Schneider said.

In short, cleaning up the “discarded soda bottles” of our Information Technology Ecosystem not only involves complex technical challenges, but economic, political, and social consequences, as well. The Forum provided a venue to dive into these issues, tease out nuances, and expose hidden assumptions surrounding the software updates.

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×
Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×
Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×
Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×
Page 1
Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×
Page 2
Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×
Page 3
Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×
Page 4
Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×
Page 5
Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.
×
Page 6
Next: 1 Policy Considerations: The Intersection of Public Values and Private Infrastructure »
Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop Get This Book
×
Buy Paperback | $60.00 Buy Ebook | $48.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Software update is an important mechanism by which security changes and improvements are made in software, and this seemingly simple concept encompasses a wide variety of practices, mechanisms, policies, and technologies. To explore the landscape further, the Forum on Cyber Resilience hosted a workshop featuring invited speakers from government, the private sector, and academia. This publication summarizes the presentations and discussions from the workshop.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!