Why your competitors are utilizing API driven OS updates for Network/Security Devices (Example code included so you can too)

The US Cyber Information Security Agency in ST18-001 warns that Network infrastructure devices are often easy targets for attackers. Among the steps they point to for keeping infrastructure secure, they suggest that network infrastructure device’s OS be kept up to date because patches often contain security vulnerability fixes.

In contrast to this, many teams we talk to about updates are behind on their own internal targets or programs for staying protected from the latest vulnerabilities by applying OS updates in a given KPI-measured timeframe.

Considering the pressure on staff, the increased pace of security vulnerability alerts, and the growing size of networks… it’s likely that teams will only fall further behind over time.

BackBox helps enterprises and MSPs close this gap with the ability to schedule OS updates using our pre-built Automations, even when updates are complex like multi-step or with significant pre- and post-checks required for risk management.

Common themes we’ve seen across the customers who are most confident about being up-to-date are:

1. Programmatic planning of updates. Surprisingly the excel sheet may still exist, but there is intentionality around when updates will be done, what versions are appropriate for each device or device type.
2. Strong business processes. Processes are how agreement is reached between teams for things like what versions will be supported, who can execute an update, who will be informed when devices are out of compliance or updated, what systems need to be updated, and scheduling for when the next set of updates will happen.
3. Guardrails to enforce best practices. Using an API enables DevOps principles to provide guidance in the business process to minimize fat finger mistakes or give junior employees the chance to operate while offering review prior to pushing updates to production environment.

The reality is that of the customers we talk to that have all the above systems, almost all of them are utilizing BackBox APIs as an integral part of their update pipeline. They do this as a way to manage the agreements between teams, lower risk, and ensure update happen as quickly as possible once the process has started.

APIs = Process

A big upside of driving updates with APIs is the ability to build business processes that integrate with other tools in environment. Your Ticketing system may be your source of truth for problems and approvals, your CMDB contains your source of truth for devices, while each team may have different tools they are using to update their device configurations. This diverse set of tools that make up your overall environment means that even if you could drive update from a single tool with no integrations, you would create substantial manual work for everyone to ensure everyone knows what’s happened.

Integrating with existing tools enables you to kick off the process from the ticketing system, pull in a set of devices from your CMDB, ensure those devices are added to an update flow in BackBox, inform your ticketing system on success of failure when that flow is executed, and then updating your CMDB on success. All while sending out appropriate reports to key stakeholders and ensuring a trusted backup at every important step of the way.

The outcome of driving the update process via API is end-to-end visibility and auditability of the process without human tracking in the middle. While this is critical for any business, if your business requires adherence to compliance standards the consistency driven by an API process that connects across tools is required.

Example Code

All of our code for this example can be found at BackBoxSoftwareInc/BackBoxUpgradeJob: BackBox 7.0 Add Devices to an Upgrade Job (github.com) in this code our goal is to provide a framework for the process of utilizing a 3^rd party system communicate devices that will need to be updated (in this case we have a CSV file standing in for the 3^rd party system), add the vendor OS file to BackBox that will be used in your update, add your devices to the update job, and lastly point the job to your OS update file that you uploaded.

BackBox is being used in this code to handle the update process on your device. The big advantage here is that utilizing BackBox APIs gives you standardized, supported expert-built automations for your network and security devices that you can then leverage in your API flow. This allows your developers to maintain focus on driving business process and outcomes rather than figuring out how to execute commands for network or security devices.

Trying out the example code

Note that this code only creates the job to update your devices. To prevent accidental writes, the code does not have the final job/run command built in. After you download the code from the GitHub You will need a couple tools to get started with this example.

1. Python 3 org (python 3.7 or above is preferred)
2. Jupyter Notebook Project Jupyter | Home

Once you have these in a command prompt/terminal run:

python –m pip install requests

then

jupyter notebook

once that is done you can navigate in a web browser to https://localhost:8888 navigate to where you saved the files from GitHub and select BackBoxDeviceOSUpgrade.ipynb

Follow remaining setup listed in the README.md file.

APIs Next Steps

As you begin your journey toward driving more of your network automation via APIs a few key ideas to keep in mind:

1. Start small. You won’t build a fully automated pipeline overnight.
2. Focus on real, tangible outcomes. Device Updates that lower your threat surface are a great place to start, but whatever you start with ensure you can measure the impact and are receiving value for the time spent.
3. Utilize 3^rd party resources to minimize the scope of what you will be developing in house. BackBox is a perfect example of this where it allows you to focus on integration rather than scripting commands on network devices.

If you’ve found this interesting, please join our upcoming webinar on this topic on February 2nd for more. Bring questions too, we’d love to hear your ideas. As always, registering will get you the recording afterwards, so even if your schedule is tight, it’s a good idea to register.