In addition to outlining strategies for proper configuration of unattended security updates, this talk briefly covers how to maintain the security of Docker container environments, where the above strategies generally do not apply. In such environments, an entirely different approach and workflow is usually required.
Heartbleed, Shellshock, POODLE, GHOST… With severe security vulnerabilities on the rise, how can developers protect the systems used to deploy their applications? Unattended package upgrades can help, but only if they are properly set up and monitored. Some of the challenges include:
- many popular virtual private server (VPS) providers do not install or enable automatic security updates in their OS images
- “unattended-upgrades” on Debian-based systems installs automatic security updates but does not actually enable them, potentially putting unsuspecting users at risk
- some security updates (e.g., kernel-level) require a server reboot to take effect, and yet users often don’t realize this until the next time they log in, resulting in a system that is vulnerable in the interim