Onesait Platform's secure development model applied to threat detection in third-party dependencies
Introduction
Like any software, Onesait Platform has multiple dependencies on third-party software, from libraries used at development time to operating systems used in containers at deployment time. It is therefore vital to analyze and update these dependencies as security threats are detected.
This document defines Onesait Platform's secure development model applied to the resolution of threats detected in third-party software used by Onesait Platform.
Threat detection and correction
The Onesait Platform development lifecycle incorporates dependency review tasks with the databases of known vulnerabilities, and thus, solve the problems detected. Specifically, we analyze the threats published in https://nvd.nist.gov/ .
For this task of dependency analysis and elimination of the detected threats, the following process is followed:
Onesait Platform follows a policy of releasing a release in each quarter of the year. The sequence of this process consists of several activities:
At the end of the second month of the quarter, all library and software dependencies used in the generated container images are reviewed in order to identify potential threats.
During the third month of the quarter all critical and high level threats detected are fixed.
The release at the end of the quarter will be free of any threats detected in the aforementioned analysis. For example, in the case of release/1.1.0 shown in the diagram, it will be released free of the critical or high level threats detected in t1.
In addition, these security fixes will be applied, as a patch, to the immediately preceding release. Following the previous example, the release/1.0.X (being X the minor version at that time), will incorporate all the security improvements included in the release/1.1.0.
Databases used
The code analysis process uses the U.S. government's NVD (National Vulnerability Database) threat database. https://nvd.nist.gov/
For the analysis of the container images, the same NVD database https://nvd.nist.gov/ is used, as well as the database of each operating system distribution used: Debian, Ubuntu, Alpine, etc.
Special cases
Onesait Platform integrates many third-party technologies that follow their own release and fix cycles. Onesait Platform's commitment to update libraries or components with third-party threats is limited to the availability of new versions that fix the problem in those components. In the event that a version with the removed threat is not available, Onesait Platform will incorporate mitigation mechanisms as an alternative until a definitive solution is available. If the mitigation mechanism involves actions in the configuration of the deployments, the necessary actions will be incorporated as a recommendation in the release note.
Release of fixes
When the Onesait Platform Release Notes are published, a list of all the threats detected and solved in the release will be included so that customers can evaluate the convenience of upgrading to this new version if they consider that any of their environments are vulnerable to this threat. It must be taken into account that not all customers have contracted all the modules. In addition, the use of the same module varies greatly from one customer to another. For example, there may be environments with modules exposed to the Internet and others in which this module is only accessible from other Onesait Platform modules.
License Coverage
Any customer with an active license will have access to the new versions published every quarter that will incorporate the security fixes in the new releases.
If a project has more stringent requirements in terms of deadlines for the generation of fixes or needs patches for older versions of Onesait Platform, an additional agreement must be included in the standard license.