Patching Vulnerabilities

[MUSIC] 0:00 We've covered a lot of information so far. 0:04 Great job pushing through. 0:07 In this final stage we're going to discuss how to maintain the security of your 0:09 existing applications, APIs and services. 0:13 We've talked about encrypting the traffic to and from your site, 0:18 adding two factor authentication, and even adding rate limiting. 0:21 But security doesn't stop there. 0:25 Security is a constant concern not a list of boxes to check. 0:28 Let's start with a story. 0:33 Imagine that you've just deployed your new application to production. 0:35 Day after day, users join more quickly than your team ever expected. 0:39 Your team continues adding more and 0:44 more features, making the application even better. 0:45 Than one day, an engineer notices some odd entries in the log. 0:49 Upon further investigation, you see that some service that you didn't create 0:54 is making requests to a server not owned by you or anyone else at your company. 0:59 Yikes, it looks like you've been hacked. 1:06 After discovering the issue, your team quickly responds, 1:09 removes the rogue malware in your system, and investigates how it all started. 1:13 After hours of looking, it turns out the hackers exploited a security flaw 1:17 in the Ruby on Rails source code. 1:22 Not even your own code. 1:24 However, no one on your team ever updated Rails, 1:26 after moths of the application running in production, 1:30 which has led to some very nasty media coverage, customer emails, 1:33 extremely harmful reputation damage and the firing of your chief security officer. 1:38 This leads us to the following key takeaway. 1:44 Keep your applications updated and 1:48 patch any security flaws as updates are released. 1:50 Patching you applications and keeping them updated means that security flaws will get 1:54 fixed as soon as they are discovered by the maintainers of the software you use. 1:58 Not keeping code up to date has led to numerous incidents at companies 2:04 across the world. 2:08 For example, the 2017 Equifax breach 2:10 was possible because of a Java web framework vulnerability. 2:13 The 2017 WannaCry ransomware attack 2:18 exploited some Microsoft Windows framework vulnerabilities. 2:21 These flaws cost hundreds of millions of people their personal information. 2:26 In the case of WannaCry, 2:31 not patching these flaws shut down entire hospitals for days on end. 2:33 It's easy to tell people to patch their software, but how do you do it? 2:39 Answering this succinctly and for all companies and 2:43 possible edge cases is impossible. 2:46 However, strategies do exist for patching and updating applications and 2:49 services over the lifetime of their deployment. 2:54 These strategies generally follow a process similar to the following. 2:58 Keep an [SOUND] inventory of all the services and 3:02 applications you have in deployment. 3:06 Also, keep an inventory of all their associated assets, libraries, and 3:09 software used. 3:14 Next, you and your team should plan away to standardize all of your production 3:16 systems to be using the same libraries, versions and operating systems. 3:21 Keep track of the various update channels. 3:27 After you have your applications documented and 3:31 tracked Next, define the security controls you have in place. 3:33 [SOUND] Now you can determine priorities. 3:38 Cross-reference your assets and security controls against the risk 3:41 associated with not updating these systems. 3:46 Once you have a prioritized list of patches and updates to make, 3:49 define a weekly, monthly, and quarterly schedule to perform these updates. 3:53 Now, follow the plan. 3:59 And most importantly, follow the plan. 4:02 This will allow you to keep your systems patched and your users safe. 4:07 Keep in mind that the strategy we just discussed is not the only one and 4:12 many others exist. 4:17 If you would like to go more in depth on patching strategies, there are great 4:18 resources at the popular SASNS Information Security site, as well as OWASP. 4:23 We will add links to these in the teacher's notes. 4:28