Software updates and server maintenance
Following on from our blog earlier in the month, our attention now turns to how we deal with software updates and server maintenance.
Data isn’t the only security consideration. Software vulnerabilities are a regular occurrence, particularly in the world of open source software.
Our operating systems, software and frameworks that we build our sites in, are all open to exploitation.
We do ensure though that we are always running versions of software that are maintained by the providers, and we migrate/upgrade before software versions reach EOS.
Last year, we had a drive to migrate legacy sites onto updated, secure servers. We did this by creating various server images, following security best practice(s).
We have policies for security patching servers, and run these updates out of hours.
Similarly, we have policies for framework and module patching and for critical updates, we insist on patching first and testing later. It’s better to be safe than sorry.
Access to our servers is also locked down, and again, we grant access on an individual “as-needed” basis, where each user has their own account to ensure we have full audit trails.
Part of the process involves regularly clearing up and removing legacy sites/tools from our servers, because unmaintained software can be a security risk, and our UAT servers run a tool to turn off old sites if they’re not accessed for a period of time.