In this day and age, having security problems with software is inevitable. So many people are trying to hack your shit from crazy Russians to the NSA.
WordPress for example has a very bad reputation for security and I would tend to agree. The latest version with no plugins is probably safe. However that isn’t the version most people are running and most people do use plugins.
The list of software that has or has had security issues is endless. Web browsers, OpenSSL, Operating Systems, and almost all software is affected.
So where do we go from here? Well I say that we auto-update EVERYTHING. If you (like most people) think that is a terrible idea, you have most probably come into contact with poor quality software made by shitty developers. If software is built to be auto updated and developers know it will be auto updated, they should put some effort into testing that update process to make sure everything still works after the update.
Any decent developer can make things backwards compatible and if fixing the problem breaks some functionality, maybe that functionality should be broken.
The best updates are the ones you don’t know about
Google’s Chrome web browser auto updates. It doesn’t give you any warning or notification during normal use, it just does it. I think it is one of the best implementations of auto updating out there.
Apple’s OS X has the ability to silently install security updates. This means a security update can be rolled out quickly and to everyone affected.
So why do so many people turn automatic updates off?
Because updates break your shit. Well bad updates break your shit. I’ve never had a Chrome update that broke my browser. And that is my point. If the developers know their updates are going to be automatic, they keep them small, they keep them incremental and they test them properly. They don’t make big changes that break old functionality.
If WordPress forced everyone to auto update, a lot of sites would break on auto update day. But they shouldn’t. If they do break, it is because a plugin or theme uses functionality that has changed. Why has that functionality changed? Either it is careless development from WordPress developers or poor development from the plugin developers. Functions in a framework like WordPress get deprecated over time. If developers don;t remove deprecated functions, it is their own fault.
So what do we need to do?
Turn automatic updates on. If you pay for software, make sure it is updated and if it breaks, use support channels to report that. If you are using software that doesn’t get updated, or updated well, don’t pay for it. A customer’s wallet makes these decisions for companies. If you are managing developers, make sure they do a proper job with their updates. Frequent but small updates are a necessity in this day and age.
If you have a custom site, pay your developers a bit to update your site. Is it cheaper to pay them in advance or pay them after your site has been hacked to fix it and update it? If you have an SLA, it is probably included in that, you just need to ask for it.
So there you have it. Being aware, giving a shit and forcing people to do a proper job will leave you with software that is safe and secure. Well, more safe and more secure than what you have now.
Less than a day after posting this I found out that WordPress released an update with a core bug in it! It brought down sites and actually caused problems on clean installs. This is exactly the type of amateur mistakes that stop people from auto updating. So if you have a WordPress install, don’t update just yet. More info can be found here. What a fuck up.