How to perform a proper, secure third-party software download

Pushing third-party software downloads without thoroughly checking them may result in unintended code overwrites. Prevent such overwrites with this advice from Michael Cobb.

We all know it's best practice to run the latest versions of software applications, and we all know what a pain it can be to keep testing and installing new updates. This is particularly true when it comes to third-party components, such as WordPress plug-ins or modules for the DotNetNuke Web content management system, which may not be updated frequently.

Many of the update packages are straightforward to install, but, without a detailed, documented procedure, remembering any checks that need to be completed before clicking the install button can be difficult.

New releases of DotNetNuke, for example, overwrite the favicon.ico file unless it is removed from the install package. This isn't the end of the world, but if you have customised any of the source code of a third-party component, it may well be overwritten when a new version is installed. New releases of DotNetNuke overwrite many existing files, even if there are no changes to them from the previous release.

In cases like this, there are a couple tips that can help make the software update process run smoothly. First, keep a change-control log and record all the files within a component that you have altered, so they can be compared with any new versions supplied in an update. If it's been a while since you looked at the code, you may struggle to remember exactly what you changed and why. This is why it is so important to comment code changes thoroughly, marking the start and end of the block of code you've amended. But, how do you quickly see where the new updates differ from your own files?

Team editions of software development and source code version control programs often have tools that will compare files if they are part of the current project. It can be time consuming, however, to add new files just so you can compare them. Another tip is to try the free Notepad++ text editor. It has an excellent file compare feature that makes finding differences between existing and new releases -- and thus, the entire third-party code review -- much easier. This enables you to quickly see what changes have been made as part of the new release. You can then decide whether your own code changes need to be reintroduced or rewritten, or whether they are now obsolete because of improvements to the component itself.

Analysing source code is a painstaking task, but keeping a change-control log and having a free visual aid that is an excellent code editor itself makes the task somewhat easier and quicker. You're certainly far less likely to overlook any changes you've made or potentially break your application when you install any updates.

About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of’s Security School lessons.

Read more on Endpoint security