Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Introduction to Application Security

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

Patching Vulnerabilities

4:32 with Alena Holligan and Jared Smith

When vulnerabilities are discovered in the apps either you created or that you use that were created by others, always have a plan to patch the issues and update your production systems. In industry, there are proven ways to do this, but most importantly, clear communication between your organization’s teams and a constant focus on security will save the day.

Further Reading

Patching strategy examples and general reading:

Patching strategies for web apps:

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    [MUSIC] 0:00
    We've covered a lot of information so far. 0:04
    Great job pushing through. 0:07
    In this final stage we're going to discuss how to maintain the security of your 0:09
    existing applications, APIs and services. 0:13
    We've talked about encrypting the traffic to and from your site, 0:18
    adding two factor authentication, and even adding rate limiting. 0:21
    But security doesn't stop there. 0:25
    Security is a constant concern not a list of boxes to check. 0:28
    Let's start with a story. 0:33
    Imagine that you've just deployed your new application to production. 0:35
    Day after day, users join more quickly than your team ever expected. 0:39
    Your team continues adding more and 0:44
    more features, making the application even better. 0:45
    Than one day, an engineer notices some odd entries in the log. 0:49
    Upon further investigation, you see that some service that you didn't create 0:54
    is making requests to a server not owned by you or anyone else at your company. 0:59
    Yikes, it looks like you've been hacked. 1:06
    After discovering the issue, your team quickly responds, 1:09
    removes the rogue malware in your system, and investigates how it all started. 1:13
    After hours of looking, it turns out the hackers exploited a security flaw 1:17
    in the Ruby on Rails source code. 1:22
    Not even your own code. 1:24
    However, no one on your team ever updated Rails, 1:26
    after moths of the application running in production, 1:30
    which has led to some very nasty media coverage, customer emails, 1:33
    extremely harmful reputation damage and the firing of your chief security officer. 1:38
    This leads us to the following key takeaway. 1:44
    Keep your applications updated and 1:48
    patch any security flaws as updates are released. 1:50
    Patching you applications and keeping them updated means that security flaws will get 1:54
    fixed as soon as they are discovered by the maintainers of the software you use. 1:58
    Not keeping code up to date has led to numerous incidents at companies 2:04
    across the world. 2:08
    For example, the 2017 Equifax breach 2:10
    was possible because of a Java web framework vulnerability. 2:13
    The 2017 WannaCry ransomware attack 2:18
    exploited some Microsoft Windows framework vulnerabilities. 2:21
    These flaws cost hundreds of millions of people their personal information. 2:26
    In the case of WannaCry, 2:31
    not patching these flaws shut down entire hospitals for days on end. 2:33
    It's easy to tell people to patch their software, but how do you do it? 2:39
    Answering this succinctly and for all companies and 2:43
    possible edge cases is impossible. 2:46
    However, strategies do exist for patching and updating applications and 2:49
    services over the lifetime of their deployment. 2:54
    These strategies generally follow a process similar to the following. 2:58
    Keep an [SOUND] inventory of all the services and 3:02
    applications you have in deployment. 3:06
    Also, keep an inventory of all their associated assets, libraries, and 3:09
    software used. 3:14
    Next, you and your team should plan away to standardize all of your production 3:16
    systems to be using the same libraries, versions and operating systems. 3:21
    Keep track of the various update channels. 3:27
    After you have your applications documented and 3:31
    tracked Next, define the security controls you have in place. 3:33
    [SOUND] Now you can determine priorities. 3:38
    Cross-reference your assets and security controls against the risk 3:41
    associated with not updating these systems. 3:46
    Once you have a prioritized list of patches and updates to make, 3:49
    define a weekly, monthly, and quarterly schedule to perform these updates. 3:53
    Now, follow the plan. 3:59
    And most importantly, follow the plan. 4:02
    This will allow you to keep your systems patched and your users safe. 4:07
    Keep in mind that the strategy we just discussed is not the only one and 4:12
    many others exist. 4:17
    If you would like to go more in depth on patching strategies, there are great 4:18
    resources at the popular SASNS Information Security site, as well as OWASP. 4:23
    We will add links to these in the teacher's notes. 4:28

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up