Brent Clements
on 14 July 2016
I work for Canonical as a Consulting Architect. Every design I put together I try to secure as best as possible. One reason I came to Canonical was because of the way we handle security updates and our approach to security. This blog post outlines how we handle updates, specifically around zero-day vunerabilities.
We have all heard of major break-ins at some of the world’s most trusted companies. It is something that, speaking as a former IT Security Analyst, keeps me on my toes when dealing with technology every day. Many of these major break-ins are due to flaws, commonly known as vulnerabilities, that exist in software. These vulnerabilities lie in wait for the day that a hacker discovers them and creates an exploit to attack a business for fun and/or profit. The most serious of these attacks, zero-day attacks, occur when attackers identify that flaw and release an exploit before the vendor has the opportunity to release a patch which fixes the vulnerability. Many times vendors are racing against the clock to fix the vulnerability before further damage is done.
Luckily Canonical works extremely quickly with our partners, customers, and the community when it comes to stopping zero-day attacks before they cause large-scale damage. Our goal is to reduce the time it takes to release a security update so you can patch quicker. Not only do we follow best practices when securing OpenStack but the Ubuntu Operating system, is engineered to be one of the most secure operating systems in the world. We do this by constantly monitoring for exploits, threats, and attacks, and also by working closely with our partners, customers, and the community to maintain vigilance over all aspects of security.
In a recent example of combating security threats, Canonical was notified of a “zero-day” vulnerability which is a hole in software that is unknown to the vendor. Within hours, the Canonical engineering team had release a security patch to both our customers and the community. While all threats can’t always be immediately addressed, this demonstrates the high level of attention that we pay to any notification of a potential vulnerability. Because of our engineering-focused security model, we can move quickly to eliminate threats.
The biggest weapon we have in fighting zero-day attacks is by constantly being on alert for threats. Canonical’s security team continuously monitors these threats by:
- Having vulnerabilities reported directly to the Ubuntu Security Team by the community and our customers and partners
- Monitoring announcements on the public oss-security mailing list
- Coordinating and Working on Embargoed issues on the private linux-distros mailing list
- Monitoring notices published by other software vendors
- The Ubuntu Security Team discovering issues through code review and static code analysis
In order to move as quickly as we do, Canonical has developed a well-defined process for analyzing threats and producing security patches to stop problems before they begin. Once a vulnerability has been identified, security updates are done according to the threat prioritization. Our update process includes:
- Researching how the vulnerability affects each Ubuntu release
- Locating the upstream fix or, in some cases, fixing the issue ourselves
- Backporting the fix to all affected Ubuntu releases
- Targeted testing to gain confidence that the issue is fixed
- Building the packages that will ultimately be published as Ubuntu Security updates
- Perform thorough QA to ensure that the security update packages fix the vulnerability and do not introduce regressions that will negatively affect our users
- Publish the security updates and an accompanying Ubuntu Security Notice to http://www.ubuntu.com/usn/ whereby we inform users of the fixed issue(s) and steps they need to take to apply the update.
So why is having a well-defined process for identifying flaws and squashing them before they cause damage important? My belief is that we must prevent financial loss and secure you or your customers’ data asap. According to an IT Risk Survey released by security firm Kaspersky, the average security breach costs an enterprise $551,000 to recover from. Not only is it costly but your businesses reputation can be damaged, sometimes irreparably.
To further illustrate the point, let’s imagine you are a financial institution or insurance company. According to the 2015 IBM Security Index, these types of institutions are at the highest threat for being attacked. Having a partner that can quickly find and eliminate security vulnerabilities gives you a greater advantage for securing your customer’s financial information and reducing losses now and in the future.
Canonical has a goal to help secure the cloud to reduce those threats. Our people, processes, and technology ensure that vulnerabilities are quickly eliminated in order to protect you, your company, and your customers. For me, I am proud to be part of such a wonderful team that fights for your business. Because of this, I can, with confidence, advise our customers on the best possible outcomes for their projects.