Why Your Competitors Are Using API-driven OS updates for Network Devices (Example code included so you can too)

A set of guidance led by international cybersecurity governing authorities warns that network infrastructure devices, including firewalls, routers, and virtual private network (VPN) gateways, are often easy targets for attackers. They recommend keeping network device OSs up to date because patches frequently contain security vulnerability fixes.

In contrast, many teams we communicate with about updates struggle to keep their network devices in a known and trusted state. Many organizations schedule updates during monthly or quarterly maintenance windows, typically on nights and weekends. In theory, setting internal targets or programs to protect against the latest vulnerabilities by applying OS updates within a KPI-measured timeframe is a good strategy. In practice, however, they are making updates manually, one device at a time, with no reliable or efficient method to determine which vulnerabilities are significant to the organization and therefore must be addressed immediately.

Considering the pressure on staff, the increased pace of security vulnerability alerts, and the growing size of networks, teams tend to fall further behind over time.

BackBox helps enterprises and MSPs bridge this gap and enhance network cyber resilience by enabling the scheduling of OS updates with our pre-built automations. Even when updates are complex, such as those involving multiple steps or requiring significant pre- and post-checks for risk management, we provide a no-code option to customize or create new automations. Updates can be automated as part of your cyber resilience strategy and integrated into daily workflows.

Common themes we’ve seen across the customers who are most confident about being up to date are:

1. Programmatic planning for updates. In some instances, spreadsheets may still be present, but there is a clear intention regarding when updates will occur and which versions are suitable for each device or device type.
2. Effective business processes are crucial. They define how agreements are made between teams regarding aspects such as which versions will be supported, who is authorized to execute an update, who will be notified when devices become out of compliance or are updated, which systems require updates, and when the next set of updates will occur.
3. Guardrails to enforce best practices. Utilizing an API allows DevOps principles to guide the business process, minimizing fat-finger errors and enabling junior employees to operate with oversight before pushing updates to the production environment.

The reality is that almost all customers we talk to who have all the above systems utilize BackBox APIs as a crucial part of their update pipeline. They do this to manage agreements between teams, reduce risk, and ensure updates are implemented as quickly as possible once the process has started.

APIs = Process

A significant advantage of using APIs to drive updates is the capability to establish business processes that integrate with various tools in your environment. Your ticketing system may serve as your source of truth for issues and approvals, while your CMDB maintains the source of truth for devices. Furthermore, different teams might utilize distinct tools to manage their device configurations. This varied assortment of tools that constitutes your overall environment indicates that even if you could drive updates from a single tool without integrations, you would still create considerable manual work for everyone to ensure that all parties are informed about what has transpired.

Integrating with existing tools enables you to kick off the process from the ticketing system, pull in a set of devices from your CMDB, ensure those devices are added to an update flow in BackBox, inform your ticketing system of success or error once that flow is executed, and then update your CMDB on success. You can automatically send appropriate reports to key stakeholders and ensure a trusted backup at every critical step.

The outcome of managing the update process through an API is comprehensive visibility and auditability without requiring human intervention. While this is vital for any business, if your organization must meet compliance standards, the consistency achieved through an API process that links to various tools can be a game-changer.

Example Code

All of our code for this example can be found at: https://github.com/BackBoxSoftwareInc/BackBoxUpgradeJob

In this code, our goal is to provide a framework for the process of:

• Utilizing a third-party system to communicate to devices that will need to be updated (in this case, we have a CSV file standing in for the third-party system)
• Adding to BackBox the vendor OS file that will be used in your update
• Adding your devices to the update job
• Pointing the job to the OS update file that you uploaded

BackBox is utilized in this code to manage the update process on your device. The key advantage here is that using BackBox APIs provides you with standardized, supported, expert-crafted automations for your network and security devices to integrate into your API flow. This enables your developers to focus on driving business processes and outcomes rather than figuring out how to execute commands for network or security devices.

Running the example code

This code only creates the job of updating your devices. To prevent accidental writes, the code does not include the final job/run command. After you download the code from GitHub, you will need Python 3.12 or later (python.org) installed.

In a command prompt/terminal, run:

# 1. Create & activate a virtual environment (Windows PowerShell example)

python -m venv .venv

./.venv/Scripts/Activate.ps1

# 2. Install dependencies

pip install -r requirements.txt

# 3. Create .env file (see template in README.md) and place your upgrade file (e.g., upgrade.zip) in the project directory

# 4. Run the automation

python BackBoxDeviceOSUpgrade.py

The script will authenticate to BackBox, upload your upgrade file, resolve devices from your CSV, and add them to the upgrade job—all via API calls.

Optional: Interactive Demo Walkthrough

If you prefer to see the automation step-by-step with detailed explanations, the repository includes an interactive Jupyter notebook (`BackBox_OS_Upgrade_Demo.ipynb`) that walks through each function and API call. This is useful for learning the workflow or demonstrating to stakeholders.

For complete setup details, configuration options, and troubleshooting, see the README.md file in the repository.

APIs Next Steps

As you start your journey to drive more of your network automation through APIs, here are a few important tips to remember:

• Start small. You won’t build a fully automated pipeline overnight.
• Focus on actual, tangible outcomes. Device updates that reduce your threat surface are a great place to start, but wherever you begin, ensure you can measure the impact and receive value for the time spent.
• Utilize third-party resources. The above process illustrates how to minimize the scope of what you will develop in-house so that network engineers don’t need to be coding experts. BackBox is a perfect example, allowing you to focus on API integrations and a no-code approach rather than scripting commands on network devices.

Learn how BackBox is helping network engineers use API-driven OS updates to keep their network infrastructure resilient. Schedule a 30-minute demo for an interactive tour of the BackBox platform.