Application and Server Security Updates 101
With the recent influx of dangerous, pervasive vulnerabilities in applications and servers, it’s more important than ever to make sure everything you own is up-to-date. Heartbleed and Shellshock were both “drop anything you’re doing and fix this right now” bugs; and to make matters worse it’s taken multiple patches to fix Shellshock (and it’s still not fully patched yet).
If you have any project that’s available over a network (AKA everything), it’s your responsiblity to make sure it’s up-to-date security-wise. Thankfully there are a few steps you can take to drastically improve your awareness and ability to keep your applications and servers secure.
Security Annoucements
Security Annoucements are your canaries in the coal mine. There are two types of accouncements: application/framework annoucements, and operating system annoucements.
For application/framework security annoucements, you will need to check the affected versions to see if your project is vulnerable. For operating systems annoucements, it’s a good practice to always update, even if you think you don’t use the affected software. A tool on your server might actually use the affected software, and not patching it leaves you open to vulnerabilities. For example: Linux uses bash for DNS resolution, so even if you never use bash your servers are still vulnerable to Shellshock.
In either case, you should patch ASAP:
Heard about a vulnerability? The adversary is not a stressed human like you. It's a for loop. The vuln is not secret; after all, you know.
— Patrick McKenzie (@patio11) April 9, 2014Security Annoucement Lists
Below are some security annoucement lists for popular OS distributions, programming languages, and frameworks. Make sure you’re signed up for the appropriate ones, and that you’re signed up for any that aren’t on this list (like the mailing list for your authentication plugin). Did I miss something? Let me know so I can update this list!
Operating Systems/Platforms
- Debian Security Mailing List
- Ubuntu Security Mailing List
- Red Hat Mailing Lists (search for “security” and sign up for the appropriate lists)
- Amazon Web Services Bulletins (RSS Feed)
- Apple Security updates
Languages
Frameworks
- Ruby on Rails
- Wordpress (RSS Feed)
Others
- NIST’s Recently Analyzed Vulnerabilities (RSS Feed, warning: this is like drinking from a firehose)
Keeping Frameworks Updated
As long as a project is still alive and kicking, you need to keep your frameworks up-to-date. Even if you’re running an old version of Rails or a Ubuntu, LTS branches keep these versions up to date. If you’re running a Rails 2.3 or 3.0 application, you should sign up for RailsLTS. This paid service updates Rails 2.3 and 3.0 to fix security issues, since they are not supported by the Rails Core team anymore.
Keeping Servers Updated
Quick and easy access to security updates on your production servers is critical. Ideally, you should be able to apply an update in less than a minute. Major Linux distributions support security updates through their package managers:
Managed Security Platforms
I’d also suggest signing up for a managed security service. These services handle updating firewalls, intrusion detection, SSH access, file integrity, and vulnerability scanning. This alleviates some of the pressure for you and gives you peace of mind that your servers are more secure. Two popular services are Dome9 and CloudPassage.
Conclusion
Now, more than ever, it’s critical to keep your applications and servers patched against the latest vulnerabilities. Signing up for the appropriate security annoucements, quickly responding to annoucements, and using a managed security platform will drastically reduce your vulnerability. Security is an ongoing, uphill battle, and you need to be vigilant against threats.
If you want to receive more helpful, in-depth guides like this to keep you up to date, sign up for my newsletter and I’ll send them directly to your inbox.