Security Recommendations: Software Installation and Usage

The fourth part of our Security Recommendations series focuses on a cautious approach when installing software or software packages. 

Why is it important?

Your device, personal data or company data may be compromised when using outdated software, operating system, software installed from untrusted sources, or if loading input data from unknown sources.

What to do:

1. Keep your programs and applications up to date.

  • Most programs have a built-in feature to automatically download and install updates to avoid excessive micromanagement.
  • Exceptions include certain combinations of software libraries requiring lower versions to ensure their mutual compatibility.

2. Keep your operating system up to date.

  • Otherwise, your system is vulnerable to security exploits by malicious programs.

3. Do not use illegal software on company-owned or privately owned devices designated for work.

  • Apart from getting into legal trouble, illegally obtained software may contain malware.
  • For your own benefit and legal consequences – don’t use illegal software at all.

4. Only download software from a trusted source.

  • It is recommended to install software or libraries from official sites, repositories and package managers.

5. When installing less-known software packages or libraries, double-check their names so you don’t fall victim to a typosquatting attack.

Versioning

6. Protect the main branch of your repository.

  • Typical protection rules for the main branch:
    • prevent direct pushing when working tightly in a larger team (use pull requests instead),
    • prevent force-pushing (e.g., via git push -f).

7. Assign per-user access rights to a repository.

  • Not all users should be able to perform risky actions such as deleting, renaming or transferring the repository, or adding/removing collaborators.

8. Avoid using a private email address for messages.

  • Use your company email address. Alternatively, if your company uses GitHub for versioning, you may use GitHub’s feature to generate a “no-reply” email address that conceals your private address.

Usage of AI-related libraries and tools

9. For Python, be wary of files loaded via the pickle module that you did not create or do not trust.

  • This also applies to any library internally using pickle, e.g., loading Pandas DataFrames stored in pickle files.