Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
When vulnerabilities are discovered in the apps either you created or that you use that were created by others, always have a plan to patch the issues and update your production systems. In industry, there are proven ways to do this, but most importantly, clear communication between your organization’s teams and a constant focus on security will save the day.
Further Reading
Patching strategy examples and general reading:
-
A Practical Methodology for Implementing a Patch Management Process, by Daniel Voldal
-
Six Steps for Security Management Best Practices, by Fred Avolio
-
How To: Implement Patch Management, by J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan
Patching strategies for web apps:
[MUSIC]
0:00
We've covered a lot of information so far.
0:04
Great job pushing through.
0:07
In this final stage we're going to discuss
how to maintain the security of your
0:09
existing applications, APIs and services.
0:13
We've talked about encrypting
the traffic to and from your site,
0:18
adding two factor authentication,
and even adding rate limiting.
0:21
But security doesn't stop there.
0:25
Security is a constant concern
not a list of boxes to check.
0:28
Let's start with a story.
0:33
Imagine that you've just deployed
your new application to production.
0:35
Day after day, users join more
quickly than your team ever expected.
0:39
Your team continues adding more and
0:44
more features,
making the application even better.
0:45
Than one day, an engineer notices
some odd entries in the log.
0:49
Upon further investigation, you see
that some service that you didn't create
0:54
is making requests to a server not owned
by you or anyone else at your company.
0:59
Yikes, it looks like you've been hacked.
1:06
After discovering the issue,
your team quickly responds,
1:09
removes the rogue malware in your system,
and investigates how it all started.
1:13
After hours of looking, it turns out
the hackers exploited a security flaw
1:17
in the Ruby on Rails source code.
1:22
Not even your own code.
1:24
However, no one on your
team ever updated Rails,
1:26
after moths of the application
running in production,
1:30
which has led to some very nasty
media coverage, customer emails,
1:33
extremely harmful reputation damage and
the firing of your chief security officer.
1:38
This leads us to
the following key takeaway.
1:44
Keep your applications updated and
1:48
patch any security flaws
as updates are released.
1:50
Patching you applications and keeping them
updated means that security flaws will get
1:54
fixed as soon as they are discovered by
the maintainers of the software you use.
1:58
Not keeping code up to date has led
to numerous incidents at companies
2:04
across the world.
2:08
For example, the 2017 Equifax breach
2:10
was possible because of a Java
web framework vulnerability.
2:13
The 2017 WannaCry ransomware attack
2:18
exploited some Microsoft Windows
framework vulnerabilities.
2:21
These flaws cost hundreds of millions
of people their personal information.
2:26
In the case of WannaCry,
2:31
not patching these flaws shut down
entire hospitals for days on end.
2:33
It's easy to tell people to patch
their software, but how do you do it?
2:39
Answering this succinctly and
for all companies and
2:43
possible edge cases is impossible.
2:46
However, strategies do exist for
patching and updating applications and
2:49
services over the lifetime
of their deployment.
2:54
These strategies generally follow
a process similar to the following.
2:58
Keep an [SOUND] inventory
of all the services and
3:02
applications you have in deployment.
3:06
Also, keep an inventory of all their
associated assets, libraries, and
3:09
software used.
3:14
Next, you and your team should plan away
to standardize all of your production
3:16
systems to be using the same libraries,
versions and operating systems.
3:21
Keep track of the various update channels.
3:27
After you have your
applications documented and
3:31
tracked Next, define the security
controls you have in place.
3:33
[SOUND] Now you can determine priorities.
3:38
Cross-reference your assets and
security controls against the risk
3:41
associated with not
updating these systems.
3:46
Once you have a prioritized list
of patches and updates to make,
3:49
define a weekly, monthly, and quarterly
schedule to perform these updates.
3:53
Now, follow the plan.
3:59
And most importantly, follow the plan.
4:02
This will allow you to keep your
systems patched and your users safe.
4:07
Keep in mind that the strategy we just
discussed is not the only one and
4:12
many others exist.
4:17
If you would like to go more in depth
on patching strategies, there are great
4:18
resources at the popular SASNS Information
Security site, as well as OWASP.
4:23
We will add links to these
in the teacher's notes.
4:28
You need to sign up for Treehouse in order to download course files.
Sign up