The more businesses rely on connected systems to operate, the more vulnerable we are to system failure and hence to loss of business and open to reputational damage. That’s why keeping up with software and security updates is critical, and having trust in your vendor’s ability to provide this is just as important.
While quality updates are important for all software, cybersecurity products have their own unique challenges.
Cybersecurity software often operates with elevated privileges to access system-level functions required for threat detection and remediation. Because of this deeper access, any error or misconfiguration can lead to more severe consequences, such as a system-wide crash or blue screen, rather than a minor application failure. This makes meticulous care essential, especially when rolling out frequent updates, as even small mistakes can have widespread impacts.
WithSecure understands how important it is to ensure robust, fit-for-purpose updates.
And this is how it does that.
1. Update types
Updates that modify the behaviour of WithSecure Elements agents on an endpoint can be divided into two primary categories:
- Feature updates introduce new functionalities to the endpoint or address known software defects.
- Continuous intelligence updates ensure these features have the latest instructions for identifying both safe and suspicious activity, as well as recommendations for improving the overall security of the endpoint.
Each type of update follows its own release process, striking a careful balance between minimising release (and rollback) times and ensuring the correct behaviour on existing endpoints is thoroughly verified.
2. Endpoint segmentation
To separate the software testing environment from internal users and customers, and to support staggered releases, many updates are deployed gradually. These updates are first made available to a specific subset of endpoints while monitoring for potential defects.
All Elements installations are divided into four staggered groups or release stages:
- CI (Continuous Integration): Endpoints in WithSecure’s own test environments are solely for software testing prior to release. These environments test functionality and detection capabilities, including single-endpoint setups for specialised feature development. CI installations are confined to internal test environments, and successful CI testing is mandatory for all software development.
- Staging installations: Real-life endpoints controlled by WithSecure staff, used to verify and demonstrate new functionality already tested in CI. Although providing real-world protection similar to Production, Staging installations are not yet validated for customer use.
- Early Access installations (or Pilot): Endpoints selected by customers to receive updates early. All of WithSecure’s own endpoints fall into this category, offering the same protection as Production installations.
- Production installations: Comprising all customer endpoints that haven’t been selected for Early Access.
Certain updates are released sequentially through these groups (CI, Staging, Early Access, Production), with mandatory human reviews between stages to minimise risks. Other updates are released almost simultaneously to all groups to reduce customer exposure to new threats. The review process evaluates telemetry from endpoint agents, and updates are scheduled carefully—avoiding significant releases before weekends or during major holiday periods to ensure key personnel are available if needed.
Continuous Intelligence updates are released to CI, Staging, and Production environments. Before being deployed to any of these environments, each update undergoes rigorous testing to verify its correct operation. Production Protection updates are also checked for known false positives during this process. Early Access installations receive Continuous Intelligence updates that are identical to those used in the Production environment.
3. Architectural Considerations
WithSecure has intentionally minimised the kernel footprint of their software. This design choice makes it easier to recover from software defects and enhances platform compatibility. Additionally, as a result, protection updates are never directly accessed by kernel components.
4. WithSecure Release Process and Stages
RCB (Release Control Board) is a series of meetings where development team discusses specific feature update with stakeholders and decides whether to release it. The RCB Meeting consists of the development team, product owners, quality leads, and senior developers from other teams. Releases assessed to be higher risk than normal will additionally include customer support and sales representatives in the RCB meeting. Topics to review: test results, business case, dependencies, overall risk, customer feedback, release schedule and decision. The process has been evaluated and improved during earlier incidents.
It is important to highlight that the WithSecure release process is designed with robust checks and balances, ensuring that no single individual can release code to customers independently. Multiple safeguards are in place throughout the process to prevent this from happening.
Stay up-to-date and avoid a Crowdstrike moment.
