Compliance

Our Commitment to Patching

September 11, 2017

by

Marc Boorshtein

In the wake of the Equifax breach, we thought it was important to declare how dedicated we are to making sure the latest and patched libraries are in Unison, OpenUnison and MyVirtualDirectory. Security is hard, complex systems are hard and bugs are inevitable. The Struts team gave a great response to Equifax’s declaration that a bug in their software was the reason for the breach (https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax), It boils down to it either being a zero day (since the date of the latest Struts vulnerability being announced was AFTER the breach occurred) or the result of an un-patched system that had a vulnerability that was reported months ago.

There are many reasons teams don’t patch. The first is probably the old adage “if it aint broke, don’t fix it”. This is a security death sentence in IT. The fact is you don’t know if its broken, and lets be honest it probably is.

Tremolo Security understands just how important it is to keep libraries updated. To this end we have, since day 1 when we started with an empty Eclipse project, used a test first methodology for building our software. Most features and bug fixes are validated through an automated test case that can be run either locally on our laptops or from our central Jenkins server.

This test first methodology, when combined with our use of the Maven build system, gives us a great tool for making sure we’re always on the latest versions of libraries. Our process prior to each release is:

  1. Run mvn versions:display-dependency-updates which tells us if new versions of libraries are available
  2. Update our build files to make sure we have the latest version listed
  3. Re-run the hundreds of automated tests looking for interactions with our certified systems

This way we know if an update to a library breaks a critical piece of code. Depending on the results we may not always decide to upgrade. As an example, during our 1.0.12 testing we found that a change to the way the Apache HTTP client libraries was validating certificates broke our certification tests with FreeIPA. It was a known bug that was being fixed in the next version so we decided to wait.

Automating this process across all three of our major projects (MyVirtualDirectory, OpenUnison and Unison) have given us a tremendous ability to be both agile and provide the best security we can. It made it pretty straight forward for us to go through the self certification process for the Linux Foundation’s CII program for open source projects. Both OpenUnison (https://bestpractices.coreinfrastructure.org/projects/517) and MyVirtualDirectory (https://bestpractices.coreinfrastructure.org/projects/514). We can’t guarantee that we’ll never have a bug (and anyone who says they can is lying to themselves or to you) but we can strive to follow the best practices that have been talked about for years.

Now that we’ve determined that most of our libraries are kept up to date how do we make sure its easy for you to patch your servers?  If you’re using Unison you likely installed with either an RPM from our Yum repository or are using one of our containers from either Dockerhub or the Red Hat certified catalog.  The yum installs area easy, just run an update!  We don’t override any of your config and separate out our libraries from yours so you know you’re getting the right ones.  If you’re using a container, we’ll that’s pretty easy too!  Just pull the latest container!

What about if you’re using OpenUnison?  Since we deploy OpenUnison using the Maven’s web application overlay plugin, you will always get the latest libraries when you reference our latest version.  This means that when we do a release its just as simple as updating your deployment’s pom.xml and going back through the deployment process.  You still need to update your servlet container, but stay tuned for our next release we have some exciting news there….