14 DAY TRIAL // On September 19, security firm Sophos released a buggy update which triggered a large number of false positives and even caused the deletion of some of the application’s own components. In a statement released last week, the company detailed the causes of the incident, but also the steps taken to prevent this from happening in the future.
It all started when a Sophos analyst incorrectly codded an update to detection rules within an IDE file. Although the mistake should have been identified by the firm’s 12-step testing procedure, a chain of human errors and other factors allowed the faulty update to be distributed to customers.
“In this case, a combination of human error in code review, human error resulting in incorrect interpretation of test results, and a mismatch in test environments meant that the faulty IDE was allowed to pass through to release,” the company explained.
The problematic IDE rule has been identified and fixed. Also, an updated version of the threat detection engine will be soon released.
The analyst unit test, the peer review, the validation of identity, the detection tests, or the false positive tests should have led to the identification of the bad IDE. However, in this case, the update passed all of the verification stages.
To address this particular issue, the firm has already implemented a “re-run of all IDE tests” policy for situations in which system failures or critical errors are identified. False positive testing systems have been enhanced and extended, and general procedure changes will undergo even more checks than before.
Additional measures will also be implemented in the upcoming period. For instance, Sophos plans on improving the resilience of the updating process, improve their products’ self-protection capabilities, and replace the “Delete” function (in case suspicious files are detected) with a “robust recoverable quarantine functionality.”