Have faith in the software development life cycle

Software

Written by:

Reading Time: 3 minutes

The drivers, operating system, and user programs all make up different layers of any typical IT system. Different companies make different parts of it. It follows that we should have some faith in each of those institutions. We need to have faith not only in their good faith, but also in the fact that their software is completely secure. Accordingly, it is a two-way demonstration of trust whenever we employ any software.

To illustrate, let’s pretend you’re designing a data transmission system for a somewhat large organization. You will begin by picking out the necessary parts and equipment. How can I accomplish this without jeopardizing my safety or common sense? Let’s examine this issue from the perspective of someone who cares about system security but also wants to cut down on the amount of dependency on outside resources. We’ll begin with picking an OS, go on to containerization, and wrap up with networking packets from the outside world.

Method of operation

Transparency is the best course of action for those who have trouble trusting others. Therefore, an OS with open-source code will be chosen first. Keeping that in mind, we can safely say that Unix-based systems are the way to go. But now it’s time to think about the distribution method you’ll be employing. When comparing job posts, a fast analysis revealed that Debian, Ubuntu, and CentOS are the most popular Unix-based server distributions. So, we’ll be discussing them in more detail below.

Analyzing Dispersion

The Linux + distributions’ update policies are an important part of the security puzzle whenever new vulnerabilities are disclosed. Fixes for security flaws in Debian and Ubuntu are typically released at the same time. Ubuntu is a split off of Debian, but its packages receive their own updates.

CentOS differs differently in this regard because it employs RHEL packets rather than its own. As a result, you should expect a delay of up to 72 hours. CentOS updates are released within 24 hours, per the CentOS website [1- CentOS packet update delay compared to RHEL]. Furthermore, this year will be the last one in which CentOS 8 will receive security updates and bug fixes. But that’s something we can talk about after the fact.

We’ll test out a few different things to see how fast people react to the vulnerability known as CVE-2021-3156. The vulnerability is a heap overflow, which can lead to a privilege escalation on the affected systems. This vulnerability is rated as “High” by the CVSS v3. On January 26, 2021, details of the security flaw were made public. On January 20, an update to packet was made available for Debian [2] and CentOS [3], but Ubuntu [4] users could install it a day earlier. Response times were very identical, as can be seen. When comparing similar scenarios, it becomes clear that distributions have similar patching times. Sure, there will be some outliers here and there, but it seems like they don’t affect the system as a whole that much.

Hardening the System,

System selection is complete; proceed to fortification. Compliance with the CIS standard represents the most reliable method [8]. There is a dedicated benchmark for each variety of server that details a set of strict requirements for protecting critical infrastructure.

Tools that just check for the most common and easily detectable security flaws can be used when you don’t have the resources to give the greatest level of security. Lynis [9], a program with a similar emphasis on system hardening, can be used for this purpose. It has the ability to identify security flaws in both the overall system and in the configuration of frequently used services. Having the ability to determine if the installed packets include any known vulnerabilities is crucial. However, the Red Teaming tools will be the most useful if we merely want to verify the probability of permission escalation. LinEnum [10]and Linpeas are two of the most well-known examples.

Containerization

Today, containers are used by nearly every application. An approach like this would let you partition your system into logical pieces without sacrificing its inherent performance. Multiple approaches exist to make containerization possible. The most common is Docker, however lxd and podman are also viable options. This chapter will cover the final one because it is the most frequently read.