Software versions as the key to more cyber security

Identification of product versions for the evaluation of the release & patch status and the detection of published IT vulnerabilities

In this blog post, we show two possible variants for determining software product versions on hosts in the IT landscape. These variants are an important part of the cyber security assessment, especially for assessing the product lifecycle (release & patch strategy) and for identifying IT vulnerabilities.

Variant 1: Installed software

The simplest and most obvious variant is to query the package manager (Unix, Linux, MacOS) or the software inventory (Windows) of the operating systems to find out which products have been installed on the host.

The following figure shows an example of how Versio.io makes the data available in the platform. For each installed product, there is information about the manufacturer, the product name, the version used and other metadata.

Variant 2: Executed processes of the operating system

A more complex variant is to continuously recognise all running processes on an operating system and then query their version. Under Windows, it is easy to query the manufacturer, the product and the version via the process information available in Windows. In Linux-based operating systems, there is no standard and therefore version determination is somewhat trickier, as a wide variety of determination procedures are required. Here are some ways of recording version information and an example of how a process including version detection is mapped in Versio.io:

Command line: java --version
Environment variable: JAVA_VERSION=21.0.5
Line in an info or configuration file: version: 21.0.5
Directory name: /opt/openjdk21.0.5/bin/java

Comparison of the variants

Both variants have advantages and disadvantages, which are addressed again in the following table:

	Installed software products	Operating system processes executed
Qualitative assessment	By querying the packet manager or the software inventory, all installed software products including the version can be determined. The version specification corresponds to the designation by the manufacturer.	The software product and version can be determined for all executed operating system processes regardless of the deployment type (installation or manually unpacked application/binary) (see description of Variant 2). The product and version determination includes third-party components (e.g. frameworks or libraries) if the technical requirements allow this (e.g. Java or Node.js applications).
Versio.io Importer	Host installed software (agent-based and agentless)	Host process (agent-based)
Effort/Cost	low	high

Table: Comparison of the variants for determining software versionsn

Recommendation

The two variants shown for determining software versions can be used individually or in combination, depending on customer requirements. The following recommendation generally applies to the different areas of responsibility in IT:

Desktop/end device management = Installed software
Server Management = Installed software and/or operating system processes

We generally recommend that customers start with the variant of installed software products. With little effort and cost, the majority of software versions can be determined and a high level of cyber security can be achieved with the release & patch status and IT vulnerability assessment.

For 100% transparency and business- and IT-critical host infrastructures, such as core or online applications, we recommend extending version detection based on the operating system processes being executed.

Outlook cybersecurity assessment

Version detection is the prerequisite for evaluating the product life cycle and recognising existing IT vulnerabilities. Assessment and detection are supported fully automatically in Versio.io.

The following strategies are available for evaluating the life cycle based on the product versions:

Is it a stable version?
Is the latest release being used?
Is the latest version of the release being used?
Is a long-term support version (LTS) used?
Is the latest long-term support version being used?
Does the deployed version still have customer service (support) from the manufacturer?
Does the deployed version still have maintenance provided by the manufacturer?

This results in a cyber security assessment for each recognised product version with corresponding detailed information and references to the sources of information. Versio.io also provides a recommendation as to which product version an update/upgrade should be carried out in order to achieve compliance status with regard to cyber security. The following illustration shows such an evaluation of the software version for the Acrobat Reader product: