Security patching and update services

Website security patches provide protection against known (usually new) threats by ‘patching’ the code to protect against the problem/threat. Website security patches are an essential part of ensuring your site is secure. Likewise, updating your website so it’s running the most current, secure version of code also protects you against attacks, security breaches and downtime.

Patching and open source

Open source has changed the way technology operates. It delivers a host of benefits to organisations and the end users/citizens. It’s free, sophisticated, and reflects a great sharing ethos that captures the spirit of community with a strong following…open source truly is a movement. Drupal, GovCMS and Wordpress are three great examples of open source content management systems (CMSs) that have become popular, particularly within government to enable them to deliver great content to citizens.

However, you need to patch and maintain the site yourself, or find someone to do it for you.

Why you need to patch/update

There are several high-level reasons why patching and updating are so important. For example, they:

• Keep your site secure, which protects your organisation from the negative impact of site compromises.
• Keep your site current so you also benefit from non-security fixes, which improve your site's performance, address usability issues, and add new features to it.
• Reduce maintenance liabilities (i.e. the longer you leave your site unpatched/not updated the harder, more expensive and longer it will take to fix).

Patching in action

Drupal is a great open-source CMS and always keeps on top of new security threats. On 22 March 2018 Drupal announced a critical security hole /threat in Drupal. They then released the free patch on 28 March. (These announcements were actually 23 March and 29 March Aussie time.)

Unfortunately there were many organisations that didn’t apply the patch. Two Australian examples:

1. On 11 April 2018, the Information Technology Security Advisor of the Victorian Department of Premier and Cabinet issued an official Cyber Incident Alert after several Victorian sites had been defaced.

2. Even more recently, Family Planning NSW suffered a breach and in this instance, the breach exposed extremely sensitive information.

The examples above provide compelling evidence of how important it is to keep your CMS up to date by either applying the latest security patches, or by updating to the latest release available (which includes any security fixes). Protecting your site protects sensitive information, your clients/citizens and your reputation.

If you’d like to find out more about this particular threat, you can read the Security Week article or the ZDNet coverage. You can also read about the related cryptojacking attack at Bad Packets Report. This attack affected 348 sites (many of them government sites) that had not applied the Drupal patch.

Salsa manages patching and updating for most of our clients, and applied the patch for all our Drupal clients by 31 March, so no Salsa-managed site was affected.

Patching best practice

Salsa specialises in Drupal and Wordpress content management systems (CMSs) and is well versed in the best approach to protect your site. Below are some tips to ensure your organisation is following good patching practices for your CMS.

1. Know your current patch status: conduct an initial audit to identify the patch 'health status' of your site. Make sure you answer these questions:

• Is your site using the most up-to-date version of Drupal/Wordpress/your CMS?
• Is your version of the CMS end-of-life or close to end-of-life?
• How many non-core modules is your site using and are they still supported?
• What about custom modules — are they supported?
• Does your site have any problematic, non-patch-friendly areas? How can you address these?

2. Optional once-off upgrade: If your overall site is quite out of date you may need to look at a once-off upgrade project. Consider the following:

• This can be minor, major or somewhere in between, depending on how many modules and customisations your site has and how out of date it is.
• The advantage of doing this once-off upgrade is that you’ll have a strong foundation to maintain your site into the future.

3. Have a structural patching plan: This will help ensure your site is protected going forward. Make sure your plan includes:

• A clear charter on which sites should to be patched and when
• A clear responsibility matrix that covers who patches, who tests, who approves, who deploys, etc.
• A clear, centralised register that tracks all activities, statuses and approvals of patches

4. Schedule patches monthly for non-security patch updates: Scheduling patches makes it easy to plan and manage resourcing. Your schedule could outline the following key roles:

• Developer(s) to patch
• Tester(s) to conduct quality assurance (QA)
• Stakeholder(s) to validate via user acceptance testing (UAT)
• Developer(s) to deploy
• Release coordinator to communicate to stakeholders and coordinate the release/patch process

5. Ensure critical security patches are applied ASAP: This is essential for your site’s security. As part of your patching plan and agreement you need to have:

• Service level agreements (SLAs) in place to ensure critical security patches are applied ASAP. For critical security patches, a reasonable SLA is 48 hours until user acceptance testing and another 24 hours to deploy the patch to production.

Manual patching vs automated patching

In many instances, manual patching is the best option. For example, if you’re running one ‘simple’ site your patching needs may be met with minimal resources/spend. However, if you’re running multiple sites using a lot of non-core modules and customised modules, automated patching may end up being a safer and more cost-effective solution. The upfront fee for automation would effectively be ‘earned-out’ over time.

If you do go down the automation path, you need to find the best compromise of cost, speed and risk. Firstly, identify your top five most critical business processes that MUST always work, and automate the testing of these key functions. If applying a patch automatically causes these tests to fail, the patching doesn’t happen; if the tests pass, then the automatic patching and/or release of the fix to production goes ahead. This may result in other non-critical areas of your site becoming ‘broken’ however you’re protected against the security risk and the significantly more consequential impact of being hacked. A broken site is better than a hacked site!

Salsa’s security patches and updates services

Salsa provides the following patching and updating services to our clients:

Patch audits

Salsa assesses the current patch levels on your site’s CMS, identifies any vulnerabilities and makes recommendations to secure your site.

Security hack remediation

If your site did happen to get hacked, Salsa can perform an audit to identify what has been compromised, and then make recommendations on how to secure your site and restore its functionality.

Once-off CMS patches/upgrades

Salsa brings your site up to date with the latest version of your CMS and/or applies all pending patches.

Security and structural patching, testing and deployment

Work with us to keep your site current with security and non-security updates. Non-security updates can be scheduled monthly or quarterly. Security updates are applied as they are being released (subject to service level agreements (SLAs)).

Patching and testing automation

Salsa has developed a solution for automated patching that monitors for available updates for your websites on a daily basis and automatically creates patched environments for manual review, running visual regression tests at the same time. Visual regression tests compare how website pages look before and after patching to make sure that patching doesn’t break any existing functionality. We automatically patch your site only if the specific tests we‘ve put in place pass. This ensures that the key functions/pages of your site look and work as expected.

Free security health check (audit)

In light of the recent breaches, Salsa is offering a free patch health check for .gov.au and .edu.au sites. This health check will:

• Provide an assessment of the current patch levels on your site's CMS core
• Identify all modules/plugins and their versions and patch levels
• Provide a list of known security vulnerabilities
• Outline recommendations and pathways to get your CMS to the latest version and how to stay up to date and patched.

Note: This is not a forensic-level audit (that would, for example, determine if your site has ever been hacked), but it will let you know exactly how to secure your site moving forward.