For more information, review our documentation on Implicit Services.
I am happy to announce that Aptible has earned ISO 27001 certification for our Enclave and Gridiron products! This is the result of a lot of hard work by the Aptible team, and is good news for you if you’re an Aptible customer: You can use Aptible’s ISO 27001 certification to show your customers that your cloud computing stack meets an international standard for security.
What is ISO 27001?
ISO is an organization. In English, the name of the organization is the “International Organization for Standardization,” but usually people just call it ISO, like International Business Machines Corporation is just IBM.
ISO produces “standards:” documents that outline requirements, specifications, and guidelines.
Requirements, specifications, and guidelines for what? Lots of things. There are over 20,000 standards, and they can be very specific.
You can play around and search the ISO site. This can be strangely fascinating: pick a random noun and search for it.
“Avocado?” Boom: ISO 2295 is a guide for the storage and transport of avocados. ISO 3659 has instructions on how to ripen avocados after cold storage. And so on.
ISO standards also cover more abstract concepts. One of the best-known standards is ISO 9001, which sets out criteria for a quality management “system”, or set of principles and business processes.
ISO 27001 is also a “system” standard. It defines requirements for information security management systems. The main body of the standard outlines a governance structure that you have to adopt: requirements for determining what counts as in-scope or out-of-scope for your “system,” assigning security roles and responsibilities, security planning activities, risk management activities, monitoring/metrics, and improving the system itself.
ISO 27001 also has an annex of reference controls relating to areas like cryptography, operations security, asset management, incident management, and more. The reference controls are normative, in the sense that if you don’t implement a given control, you need to be able to convince your auditor that your decision was reasonable, or otherwise explain yourself.
What does ISO 27001 mean for software development teams?
Think of ISO 27001 as a baseline for good security management processes. “We take security seriously” is a cliche. Many developer teams know they would benefit from an organized approach to security, but don’t know where to start. Hiring someone full-time for security is a stretch for small teams, and managing security just gets more complex as you scale.
Teams seeking ISO 27001 certification need to be organized. Like most of the major information security protocols (SOC 2, HIPAA, PCI, etc.), ISO 27001 requires:
Proactive risk management, instead of just reacting to bad things as they happen
Planning ahead for security and setting appropriate security improvement goals
Writing down the rules for how security is supposed to work for your system (in policies and procedures)
Training your workforce on those rules, with advanced training for those with more security responsibilities
Training for and responding to security and availability incidents, including breaches
Most teams will end up investing in secure software development practices, such as test coverage, continuous integration/continuous deployment, code review, vulnerability scanning, penetration testing. On a practical level, you’ll probably get serious about MFA, require everyone to use a password manager, start using mobile device management to secure laptops and phones, do criminal background screenings, stuff like that.
What does ISO 27001 “certification” mean?
ISO standards are voluntary. Unlike the Department of Health and Human Services with HIPAA enforcement or the PCI Security Standards Council, the ISO organization itself doesn’t have any ability to enforce the standards. In fact, anyone can claim they “comply” or are “consistent” with any of the ISO standards.
The gold standard is a certification performed by an “accredited” certification body, or auditor. Being “accredited” means the auditors have themselves been audited against an ISO standard for how they conduct audits and certifications.
Aptible has been certified by Coalfire ISO, an ISO/IEC 27001 Certification Body accredited by the ANSI-ASQ National Accreditation Board (ANAB).
How does Aptible’s ISO 27001 certification benefit you?
Getting organized about security helps us protect your data. ISO 27001 lays out clear best practices for security management. With developer teams, huge problems can come from seemingly little things like not sanitizing inputs, not patching vulns, accidentally pushing sensitive data to the wrong system. ISO 27001 certification means we’ve spent time thinking systematically about risk, and have strong controls in place to manage it.
In turn, you can use Aptible’s ISO 27001 certification to show your customers that your cloud computing stack meets an international standard for security.
How can you get your own ISO 27001 certification?
The traditional way is prepare is to use consultants or full-time hires. This usually involves a lot of Word documents and Excel spreadsheets, takes a long time, is extremely expensive, and makes you feel slightly let down, like you just spent all that time and money and not much really changed. You may have this nagging feeling that you’re not actually that much more secure, but at least you have antivirus on everyone’s laptops.
I think there’s a better way. At Aptible, we make Gridiron, a set of tools for managing security, designed specifically for software development teams. Let us know if you want to get ready for ISO 27001, HIPAA, SOC 2, PCI, NIST 800-53, 21 CFR Part 11, or any other security framework.
Once each quarter, the Aptible product team hosts a brief update webinar to share what’s new with Enclave and Gridiron. Yesterday, we hosted our July update webinar, highlighting all the new features released for Enclave this quarter and demoing how to setup your security management program with Gridiron.
In case you missed it, you can watch a recording of our July webinar below. You can grab the transcript and the slide deck in our resources section. And, we provide a full recap of the event in this blog post.
July 2017 Quarterly Product Update Webinar
New Open Source Project: Supercronic - Cron for containers
We opened the webinar with a quick overview of Supercronic. Supercronic is our new open source job runner that fixes the problems that occur when using traditional Cron implementations in containerized environments.
We’re excited about Supercronic because, while it’s a drop-in replacement for traditional
cron, it leaves environment variables alone, passes job output to
stderr, and logs job failures and timeouts, which makes it a perfect fit for containers. You can read more about Supercronic or check it out on Github.
New for Enclave
Enclave is a container orchestration platform for developers working in regulated industries. We are working towards making Enclave the best place to deploy regulated and otherwise sensitive projects. To that end, over the last quarter we implemented a number of important new features that make it easier to deploy and manage apps and databases on Enclave.
(As a sidenote, you can always follow along with new feature development by checking out the Aptible Changelog.)
Arguably, the implementation of Container Recovery represents the most significant change to Enclave this quarter. We’ve previously covered Container Recovery extensively in our Changelog as well as in our docs, but given the magnitude of the change it bears a quick review here.
In sum: Container Recovery automatically restarts your application and database containers when they exit. When an app or database container exits, we’ll restart it in a pristine state. The best part? You don’t need to do anything to take advantage of Container Recovery. It’s enabled for all your apps and databases automatically.
Database Self-Service Scaling
In our April webinar, we indicated that self-service scaling of databases was coming soon. It’s now here.
With some exceptions, you can now resize databases at any time, with minimal downtime. This allows you the flexibility to scale your disk and RAM footprint as your workload and requirements change.
You can scale your databases via the CLI, or toggle the size from within the Enclave dashboard:
You can read more about Self-Service Database scaling in our Changelog.
This quarter, we also launched three features to make it easier to deploy apps on Enclave.
You can now deploy directly from Docker images, no
git required. This will allow you to reuse existing Docker images and take full control over your build process. Read more about Direct Docker Image Deploy in our Changelog.
Along with this change, Procfiles are now optional. This enables you to reuse the same codebase across Enclave and other container orchestration platforms like Kubernetes and Docker Swarm.
Finally, you can now synchronize deploys with config changes. This allows you to deploy at the same time you update your config, so there will be no intermediate step where you’re running the old code with the new config or vice versa.
Other Enclave Changes
There are a number of additional improvements we made to Enclave this quarter. Check out the webinar recording above for more, including:
New and upcoming Endpoint configurations for both apps and databases
Updates to the scriptability of our CLI
Launch of an .exe for our Windows CLI
Gridiron Implementation - Setting up your security and compliance management process
Gridiron is easiest way for developers to build and run world-class data security programs. It turns information security requirements into repeatable processes while managing all the documentation required to demonstrate that you’re complying with stringent compliance protocols such as HIPAA, ISO 27001, and SOC 2.
After completing the review of this quarter’s updates to Enclave, we showed how a company could get started with Gridiron quickly. At a high level, Gridiron implementation can be broken down into four steps:
Aptible-guided implementation process with hands-on support and training
Determine your baseline controls
Generate reporting and documentation
During your hands-on guided implementation with the Aptible team, we’ll train you on how to setup and manage a security program.
By the end of the implementation, you’ll use Gridiron to determine a set of baseline security controls and prepare your first set of security documentation (such as your Risk Assessment, Policies and Procedures and Workforce Training).
Your deliverables, such as your risk assessment report, your policies, and your training materials, will automatically change along with your organization. Gridiron updates your docs as your organization evolves.
In the webinar demo, we go into much more detail on using Gridiron to track and measure risks and vulnerabilities, train your team on security and compliance, and respond to incidents as they arise.
Register for October 2017 Aptible Product Update Webinar
Our next product update webinar will be hosted on October 25, 2017 at 11am Pacific / 2pm Eastern.
All registrants will receive a webinar recap and the recording shortly after the conclusion of the webinar.
We’re proud to announce our latest open-source project: Supercronic. Supercronic is a cron implementation designed with containers in mind.
Why a new cron for containers?
We’ve helped hundreds of Enclave customers roll out scheduled tasks in containerized environments. Along the way, we identified a number of recurring issues using traditional cron implementations such as Vixie cron or dcron in containers:
They purge the environment before running jobs. As a result, jobs fail, because all their configuration was provided in environment variables.
They redirect all output to log files, email or /dev/null. As a result, job logs are lost, because the user expected those logs to be routed to stdout / stderr.
They don’t log anything when jobs fail (or start). As a result, missing jobs and failures go completely unnoticed.
To be fair, there are very good architectural and security reasons traditional cron implementations behave the way they do. The only problem is: they’re not applicable to containerized environments.
Now, all these problems can be worked around, and historically, that is what we’ve suggested:
You can persist environment variables to a file before starting cron, and read them back when running jobs.
You can run
tailin the background to capture logs from files and route them to stdout.
You can wrap jobs with some form of logging to capture exit codes.
But wouldn’t it better if workarounds simply weren’t necessary? We certainly think so!
Supercronic is a cron implementation designed for the container age.
Unlike traditional cron implementations, it leaves your environment variables alone, and logs everything to stdout / stderr. It’ll also warn you when your jobs fail or take too long to run.
Perhaps just as importantly, Supercronic is designed with compatibility in mind. If you’re currently using “cron + workarounds” in a container, Supercronic should be a drop-in replacement:
1 2 3 4 5 6 7 8 9 10 11 $ cat ./my-crontab */5 * * * * * * echo "hello from Supercronic" $ ./supercronic ./my-crontab INFO[2017-07-10T19:40:44+02:00] read crontab: ./my-crontab INFO[2017-07-10T19:40:50+02:00] starting iteration=0 job.command="echo "hello from Supercronic"" job.position=0 job.schedule="*/5 * * * * * *" INFO[2017-07-10T19:40:50+02:00] hello from Supercronic channel=stdout iteration=0 job.command="echo "hello from Supercronic"" job.position=0 job.schedule="*/5 * * * * * *" INFO[2017-07-10T19:40:50+02:00] job succeeded iteration=0 job.command="echo "hello from Supercronic"" job.position=0 job.schedule="*/5 * * * * * *" INFO[2017-07-10T19:40:55+02:00] starting iteration=1 job.command="echo "hello from Supercronic"" job.position=0 job.schedule="*/5 * * * * * *" INFO[2017-07-10T19:40:55+02:00] hello from Supercronic channel=stdout iteration=1 job.command="echo "hello from Supercronic"" job.position=0 job.schedule="*/5 * * * * * *" INFO[2017-07-10T19:40:55+02:00] job succeeded iteration=1 job.command="echo "hello from Supercronic"" job.position=0 job.schedule="*/5 * * * * * *"
If you’re an Enclave customer, we’ve updated our cron jobs tutorial with instructions to use Supercronic. If you’re not using Enclave, then head on over to Supercronic’s GitHub page for installation and usage instructions.
In a world where application dependency graphs are deeper than ever, secure engineering means more than securing your own software: tracking vulnerabilities in your dependencies is just as important.
We’ve greatly simplified this process for Enclave users with a recent feature release: Docker Image Security Scans. This is a good opportunity to take a step back, review motivations and strategies for vulnerability management, and explain how this new feature fits in.
Why Dependency Vulnerability Management?
Popular dependencies are very juicy targets for malicious actors: a single vulnerability in a project like Rails can potentially affect thousands of apps, so attackers are likely to invest their resources in uncovering and automatically exploiting those.
One infamous (albeit old) example of this is CVE-2013-0156: an unauthenticated remote-code-execution (RCE) vulnerability in Rails that’s trivial to automatically scan for and exploit. Among others, Metasploit provides modules to automatically identify and exploit it.
As an attacker, a vulnerability like CVE-2013-0156 is a gold mine. The exploit can be delivered via a simple HTTP request, so all an an attacker needed to do to compromise vulnerable Rails applications was send that request to as many public web servers as they could find (finding all of them is much easier than it sounds).
In other words: when it comes to vulnerabilities in third-party code, you’re actively being targeted right now, even if no one has ever heard of you or your business.
Strategies for Dependency Vulnerability Management
Now that we’ve established that vulnerability management matters, the question that remains is: what can you do?
Modern apps depend on a number of dependencies that come from diverse sources ranging from OS packages to vendored dependencies. Fundamentally, there’s no one-size-fits-all approach to track of vulnerabilities that affect them.
So let’s divide and conquer: from a vulnerability management perspective, there’s a useful dichotomy between two categories of third-party software.
On the one hand, there’s, third-party software you installed via a package manager
And on the other hand, there’s third-party software you didn’t install via a package manager.
The easiest dependencies to look after are those that you installed via a package manager, so let’s start with them.
Using a package manager? Leverage vulnerability databases
Package managers helpfully maintain a list of the packages you installed, which means you can easily compare the software you installed against a vulnerability database, and get a list of packages you need to update and unfixed vulnerabilities you need to mitigate.
Ideally, you want to automate this process in order to be notified about new vulnerabilities when they come out, as opposed to hearing about them when you remember to check. Indeed, remember that when it comes to vulnerable third party dependencies, you’re actively being targeted right now, so speed is of the essence.
How does this work?
There’s a number of open-source projects and commercial products you can use for this type of analysis. A few popular options are Appcanary (which Aptible uses and integrates with), Gemnasium, and Snyk.
They often work like this:
You extract the list of packages you installed from your package manager
You feed it to the analyzer
The analyzer tells you about vulnerabilities (commercial products will also often notify you when new vulnerabilities come up in the future)
That simple!? Almost: you’re probably using multiple package managers in your app, which means you may have to mix and match analyzers to cover everything. Indeed, for most modern apps, you’ll have at least two package managers:
A system-level package manager: if you’re using Ubuntu or Debian, this is dpkg, which you access via apt-get. If you’re using CentOS / Fedora, this is rpm, which you access via yum or dnf. If you’re using Alpine, it’s apk. Etc.
An app-level package manager: if you’re writing a Ruby app, this is Bundler. If you’re writing a Node app, it’s NPM or Yarn. Etc.
So, what you need to do here is locate the list of installed packages for each of those, and submit it to a compatible vulnerability analyzer.
New Enclave Feature: Docker Image Security Scans
Now’s the right time to tell you about this new Enclave feature I mentioned earlier in this post.
When you deploy your app on Enclave, we have access to its system image. Last week, we shipped a new feature that lets us extract the list of system packages installed in your app, and submit it to Appcanary for a security scan.
This can work in two different ways:
You can run a one-shot scan via the Enclave Dashboard. This gives you an idea of what you need to fix right now, but it will not notify you when new vulnerabilities are discovered in packages you use, or if you install a new vulnerable package.
You can sign up for Appcanary and connect Enclave and Appcanary accounts. Enclave will keep your Appcanary monitors in sync with your app deploys in Enclave, and in turn Appcanary will notify you whenever there’s a vulnerability you need to know about. This puts you in a great position from a security perspective, and will reassure security auditors.
To summarize: Enclave with Appcanary can now handle vulnerability monitoring for your system packages, and it’s really easy for you to set up!
However, for app-level packages, you still have to do a little bit of legwork to find and integrate a vulnerability monitoring tool that works with your app. Note that Appcanary does support scanning Ruby and PHP dependencies, so you might be able to use them for app-level scanning too.
Is that it?
Not quite: we still have to look at third-party code you didn’t install via a package manager. Here are a few examples: software you compiled from source, binaries you downloaded directly from a vendor or project website, and even vendored dependencies.
For these, there is — unfortunately! — no silver bullet. Here’s what we recommend:
When possible, try and minimize the amount of software you install this way.
When you absolutely need to install software this way, subscribe to said software’s announcement channels to ensure you’re notified about new vulnerabilities. This may be a mailing list, a blog, or perhaps a GitHub issue tracker. When possible, review how security issues were handled in the past.
This time, that about wraps it up! Or does it? Engineering is turtles all the way down, so even if you covered all your bases in terms of software you installed, there’s still the underlying platform to account for.
That being said, unless you’re hosted on bare metal on your own hardware, this is largely out of your control. At this point, your best strategy is to choose a deployment platform you can trust (if you read this far, hopefully you’ll consider Enclave to be one).
Over the last quarter, we released a number of new features and updates for the Enclave deployment platform. We also began helping customers deployed on AWS to manage their organization’s security and compliance using Gridiron.
Yesterday, on a brief webinar, our team reviewed the updates to the Enclave platform and showed how Gridiron helps software developers build and maintain strong security management programs.
In case you missed it, you can download the slide deck and get the transcript in our resources section, or watch the full event below. We also provide a quick recap in this blog post.
New for Enclave
We intend for Enclave to be the best platform for developers to deploy regulated and sensitive software products. This quarter, we focused on improving Enclave in three ways: security and compliance, database self-service, and general usability improvements.
Security and Compliance
We launched new ways to secure apps and meet compliance goals while improving the security of Enclave itself.
We’ve previously detailed these improvements on our blog. Here’s the list:
We launched a few small improvements that should make developers’ lives easier when deploying with Enclave:
We now protect against runaway SSH sessions when your session gets disconnected
Memory management restarts apps in pristine containers when they exceed memory limits
Enclave Log Drains now integrate with Sumo Logic and Logentries as an alternative to rolling your own ELK stacks
Gridiron is our suite of tools that helps developers build and maintain strong security management programs. Gridiron makes the administrative side of protecting data easy and helps to prepare you for regulatory audits as well as customer security reviews.
In the webinar, we gave a short talk-through of how Gridiron approaches security management. This starts with the Gridiron Data Model: an API that integrates data from your business, our experience working with hundreds of customers in securing sensitive data, and industry-wide security standards provided through NIST Guidance, vulnerability and attack databases and shared intel.
Gridiron ingests data about your business through a series of straightforward and relevant questions that are easy to answer but have important implications for your internal security program.
Gridiron uses that data to create deliverables that help you show security and compliance as well as improve your business operations.
Getting started with Gridiron
If you’d like to improve your organization’s security and compliance and simplify the process for working through customer security reviews and regulatory audits, please get in touch. For a limited time we’re offering early access pricing for customers who have deployed on AWS.
Register Now for July 2017 Aptible Product Update Webinar
Our next product update webinar will be hosted on July 25, 2017 at 11am Pacific / 2pm Eastern.
Please register now.
All registrants will receive a webinar recap and the recording shortly after the conclusion of the webinar.