Pushing updates on Fridays poses a significant security risk.​

The often overlooked and unwritten rule of "do not deploy on Friday" has become not only a written rule but the most critical principle in software engineering security.

While many cybersecurity companies ignored the fact that the recent Meltdown at airports and global stock exchanges was caused by Microsoft with the involvement of CrowdStrike, a security company working with Microsoft, IanaIO - Security identified and prioritized this issue as a security vulnerability. This is because cybersecurity encompasses the protection of the customers of software providers, such as patients, investors, and travelers.

This seemingly minor issue led to significant threats in several areas:​

Patient safety (due to disabled computers in hospitals) Financial security (risk of investors losing funds and disrupted liquidity due to disabled computers at global stock exchanges) Freedom of movement (disabled computers at airports)

According to reputable sources such as Bloomberg News

Bloomberg: Thousands of flights cancelled across the world after major Microsoft outage along with CrowdStrike. [https://www.bloomberg.com/news/articles/2024-07-19/microsoft-cloud-service-issues-disrupt-air-travel-operations?embedded-checkout=true] From ATMs to Flights, Epic IT Crash Leaves Trail of Chaos

• Disruptions rippled across systems from Asia throught out Europe to the US (this inlcudes: UK Stock Market Exchange, Airports, Hospitals)
• Issues triggered by a botched update of CrowdStrike software

IanaIO, as a pioneering company in cybersecurity, identifies this issue as a security concern because it impacts not only the provider but, more importantly, the safety of the customers who use this software daily. This problem also underscores the benefits of decentralization over centralization. While centralization is easier to control, it poses a significant risk of a complete meltdown if something goes wrong, as recently demonstrated. Decentralizing systems provides an additional layer of protection, emphasizing the importance of safe decentralization.

You shouldn’t have an internet connected privileged binary running on your production systems​

In other words, do not grant kernel-level access to third-party vendors.

In this security issue the case with all endpoint protection solutions in the market today. The case with anything privileged and internet connected. Not limited to endpoint protection solutions. It’s actually worse with endpoint protection because of false sense of security being a “cybersecurity” tool.

This is a wake up reminder that you shouldn’t have an internet connected privileged binary running on your production systems. What was a bad update could have easily been a massive adversary backdoor. A third party vendor will always be the weakest link.

IanaIO's solution to this is Isolating Critical Systems using IanaIO's Cyber Security Standard which is ICS "Isolating Critical Systems."

Elon Musk confirmed the security issue described by his employee, Christopher Stanley, who is responsible for cybersecurity at SpaceX.

Learn More: [https://x.com/elonmusk/status/1814366864715178165]

Broader Definition of Security Issues - Decentralization (Anti-Monopoly) vs. Centralization (Monopoly) vs. Application and User Software Security​

Corporations have deliberately overlooked the needs of people, prioritizing profits and influence. They often shift blame to the Peter Principle, deflecting responsibility onto other companies (often created solely to avoid liability when controlled centralization of applications and software fails). Decentralized software is harder for a single company or individual to control. This is also why giants like Microsoft avoid it at the code level, masking their influence through agreements with other companies like CrowdStrike. They legally protect themselves from monopoly charges while endangering their customers' lives.

A monopolistic giants​

A monopolistic giants can easily gain an advantage in financial markets by doing favors for the government, such as bypassing or not signing legislation that could weaken the monopoly and reduce control.

IanaIO Incorporates Unwritten Rules into Their Standards​

Therefore, IanaIO - Security designates this issue as a High-Level Alert for Application and Software Security and incorporates the rules: "Never deploy updates on Friday" and "Do not grant kernel-level access to third parties" into their security policy, standardizing these principles as top priorities for software and application security.

Why is it important to adhere to the "Never deploy on Friday" rule? [link do blog www.iana.io]