April 27, 2023

Keeping Your OS Security Up-To-Date

Security & Compliance

There are many factors to keep in mind when thinking about how to keep systems and applications secure. First and foremost is the actual environment where the application is deployed. The environment consists of the Operating System (OS), libraries included with the OS, and software that runs in the background. In a perfect world, an application would have very few or zero dependencies on the environment, thereby eliminating the need to keep dependencies up to date. However, we don't want every application re-inventing all the low level services that the OS often provides. In addition, there are often other common libraries that most applications use that really should be re-used rather than re-invented. Because of all this, the security of an application relies on many dependencies, and it is important to make sure all of them are kept up to date. Overall, OS Security is the first step in making sure your environment is secure.

Maintaining a Good Environment With OS Security

The biggest contributor to underlying dependencies is the OS. In the RHEL Workstation Variant, there are 4067 individual packages delivered with the OS.  Knowing this, any application can make use of the available package, or the application can bundle and ship its own version of any of those packages. Chances are, any application will run using a mix of OS packages and bundled packages. As a system administrator, it's important to understand what the critical dependencies are and be able to upgrade specific packages when necessary. Many organizations move slow to update environments and a little faster to update applications. Patching software may be easier as the individual reach is isolated to a specific application.  If the OS must be updated in order to resolve a vulnerability, then all applications running in that environment may need to be updated and tested.

Patching Software with OpenSSL Library

The Perforce/SourcePro approach. The reality is that every organization approaches these kinds of problems differently. SourcePro provides options for solving this problem in whatever way the organization prefers. One example of this is the OpenSSL library. This is one that has been in the news recently due to various vulnerabilities. One for example, [CVE-2022-2274] involves memory corruption and affects OpenSSL 3.0.4. SourcePro bundles a specific version of OpenSSL library that is certified against SourcePro. However, SourcePro also provides users the option of using the OS provided OpenSSL library, or to provide their own version. In this way, the user has the option of patching the OS, patching software (SourcePro), or downloading an updated version of OpenSSL library and using that instead. Any applications that are relying on SourcePro for this functionality will automatically have those 3 options when dealing with a high severity cve. While this doesn’t solve the problem for other applications, we know that mission critical applications built on SourcePro can be updated relatively easily to continue delivering value in the most secure way possible.

Don’t Assume OS Security: Test It! 

Another big consideration when it comes to updating your environment is having the right level of testing and oversight.  While you want to apply software patches and updates consistently, it’s important to have enough tests in place that you feel comfortable with knowing your application will continue to work.  Understanding what kind of testing is done on underlying components can also be an important part of your upgrade process.  Some open source projects may perform extensive testing and produce very solid libraries.  Others, even commercial libraries may not provide the level of testing your application really needs. With SourcePro, we perform a level of testing on all libraries that we consider “certification”. This mean that for a given configuration, we have run thousands of tests with a large range of parameters and in strenuous conditions so that applications running on SourcePro can be assured that everything will work as expected. The biggest mistake we see in migration, upgrades, or even application updates is that there is often not enough testing to understand what will happen.

Final Thoughts

Maintaining environment security is critical to the success of applications across many industries that we work with. Security is an evolving discipline that is sure to be updated regularly as threats and attacks change. OS Security is likely the first step in ensuring the foundation for your application and your environment are taking advantage of the most common source for vulnerabilities as well as the most cost effective to keep up to date. Make sure you are taking these initial steps to keep your applications running securely so you can continue to build impactful software.

Get started with SourcePro today to better your OS security and keeping your environment up to date. 

Request an evaluation with sourcepro