FW: [CII-badges] FYI: Best Practices badge site: Updated vulnerable Rails gems in an hour


Tony Hansen
 

A story about successfully keeping up-to-date with respect to components with known vulnerabilities.

Tony

On 5/5/2021, 10:40 PM, "CII-badges@lists.coreinfrastructure.org on behalf of David A. Wheeler" <CII-badges@lists.coreinfrastructure.org on behalf of dwheeler@linuxfoundation.org> wrote:

FYI:

I believe it’s important to update components with known vulnerabilities,
and I thought I’d share an example from the CII Best Practices badge itself.
It’s something that happened today! See below for the details.

--- David A. Wheeler

=== Details ===

Earlier today, around 2021-05-05 16:39 UTC, Aaron Patterson announced updated
versions of libraries (gems) that fixed some vulnerabilities.
This announcement went to a number of announcement lists & included their CVE ids.
These libraries are part of the widely-used Rails framework, so they potentially affect many systems.

By an hour later, 2021-05-05 17:38 UTC, we had updated the libraries, verified the
update (including with our automated test suite that has 100% coverage),
pushed it to staging tiers (to verify all was okay), AND finally shipped the fix into production.

Of course, I can’t promise that *all* vulnerability repairs will happen this quickly -
especially if they involve API changes! It’s also possible that these vulnerabilities
weren't exploitable in our environment. In this (and many) cases, it’s easier & faster
to do the update than to try to prove it can’t be exploited. I’ve also seen at least one case
where the analysis was wrong (“that can’t be exploited” and later “whups it can be exploited”).

My point is to show that it’s possible to plan for vulnerabilities in reused software,
and through planning to make the typical response time relatively fast.
We don’t need to be instantaneous, but we need to be faster than the attacker.
We can do this turnaround because we use package managers, automated verification tools,
an automated test suite, and single-command automated deployment.
It’s not magic, it’s just planning for the inevitable.

I’m hoping that this story will help some of you, if you’re dealing with organizations
who aren’t (yet) prepared.

Thanks!

Join onap-seccom@lists.onap.org to automatically receive all group messages.