Software Best Practices to Minimize Risk

Overview

Software Best Practices to Minimize Risk when acquiring and installing opensource software or packages for Linux distributions or other operating systems. 

Not All items below will be possible or practical to accomplish.  Please keep in mind this is a risk reduction exercise and following these best practices requires your best effort. 

Machine/System Prerequisite:

Any system installing software under this guidance must be under ITS management including use of University security tools, monitoring, protections based on the data and/or system risk classification.

Pre-Download

Source Verification

  • Only download software from official websites, app stores, or verified distributors.
  • Do not use third-party websites or torrents.
  • Linux + Avoid adding third-party PPAs (Personal Package Archives) unless from a trusted source.

Reviews and Reputation

  • Check reviews on trusted platforms like Trustpilot, app stores, or forums. 
  • Look for red flags like frequent complaints about malware or suspicious behavior. 
  • Search CVE database for issues and follow up to be sure they are fixed. 
    • https://www.cve.org/ 
  • Check change logs for frequent updates and updates that address security issues. 
  • Review any online privacy policy. 
  • Review any online terms of service (TOS). 
  • Verify credibility by researching their website, company, or other products. 
  • Ask colleagues and peers for recommendations or concerns.

Digital Signatures

  • Check for a digital signature or certification (e.g., from Microsoft, Apple, or other trusted authorities).

 File Size Check

  • Compare the file size with the expected size listed on the official website. A mismatch could indicate tampering.

File Name and Extension

  • Ensure the file name and extension match the official listing (e.g., .exe, .dmg, .zip).
  • Be cautious of double extensions (e.g., .exe.pdf) or unusual formats.

Post-Download

Antivirus/Antimalware Scan

  • Manually scan downloaded files through a reputable antivirus or antimalware scanner before opening.

Hash Verification

  • If provided, verify the file’s hash (e.g., MD5, SHA-256) against the official website’s listing.

Linux +

  • Check the package metadata for legitimacy (dpkg-deb -I <package-file.deb>).
    • Compare the maintainer, version, and description fields with the official package documentation.
  • Check and review the list of dependencies to ensure no suspicious packages are also being installed.
  • Review custom installation scripts to ensure no suspicious commands will be executed

Installation

System Backup

  • Create a system restore point, snapshot, or backup before installing any new software.

Read Permissions

  • Review the permissions or privileges the software requests. Avoid software that demands unnecessary access.

Custom Installation

  • Choose custom or advanced installation to remove bundled software or potentially unwanted programs (PUPs).
  • Linux + Use Trusted Package Managers.  Use apt, snap, or flatpak for installations, as these tools automatically verify package integrity.

 Monitor Network Activity

  • During installation use tools like a firewall or network monitor to observe unexpected connections or data transfers.

Post-Installation

Behavior Analysis

  • Monitor the software’s behavior for unusual activities (e.g., high CPU usage, unexpected pop-ups)
  • Linux - Use htop or top to monitor active/running processes and identify any suspicious activity.  
  • Monitor the software’s behavior for unusual network or internet connections (open ports and connections to other hosts).
  • Review firewall or network logs for unexpected connections or data transfers during installation or start-up.
  • Linux + Use tools like netstat or ss to monitor network connections.

Scheduled Scans

  • Regularly scan your system with antivirus and antimalware tools (Cortex). 
  • Regularly vulnerability scan (Tenable) your system with agent or authenticated scan. 
  • Linux + Use tools like rkhunter or chkrootkit to scan for potential rootkits or malware. 
  • Linux + Use a Linux Security Module like AppArmor  to enforce security policies on applications.

Updates and Patches

  • Keep the software updated to avoid vulnerabilities but only download updates from official sources.

Backup and Recovery

Uninstall Tools

  • Use trusted uninstallers to remove software completely if issues arise.
  • Be prepared to revert to system restore point, snapshot, or backup.
  • Be prepared to format and wipe systems when issues cannot be resolved or there are lingering concerns.

Inventory 

  • Maintain an inventory of software by or for each system including: 
    • Software title 
    • Version 
    • Suppliers/vendors contact information 
    • Person responsible for maintaining the software 
    • Basic install and update instructions 
    • Software update log 
Print Article