When it comes to security companies, whether it is web security or the wider field of cyber security, one thing that we found over the years is that most of them seem to know and or care little about security. We think that explains a lot of why that security is in such bad shape these days. One easy spot example of these companies either not knowing or caring about security is when their websites are running outdated software with security vulnerabilities, as keeping software up to date is really a security 101 item whether for websites or other systems.
The cyber security company PacketSled has been in the news recently after the founder and CEO of the company “resigned after election night posts on social media about assassinating President-elect Donald Trump“. Their website is currently running WordPress 4.4.2:
Like the last couple of instances we looked at with cyber security companies running outdated WordPress installations, it isn’t just that they are not running the latest major version, 4.6, but they have not kept up to date with new minor releases for the version they are one (the current version is 4.4.5). What makes that stand out is that back in WordPress 3.7 a new update system was introduced that would normally apply those minor updates automatically. So either these companies are disabling that and failing to manually update or there is some conflict with their systems and the automatic update system and they are not manually updating. If there was some conflict, then helping WordPress to fix that would help others in the same situation as well as them (since they can’t manage to do the manual updates either).
Whatever the cause, they missed three security updates, the earliest having been released six months ago.