When one is better than many: for SUSE, security is not an afterthought
A couple of weeks ago I ran into an article on Heise Security (German) quoting the newest Security Report for Germany from Secunia. An English version that links to the report for the UK can be found on The H Open.
One of the key findings of those reports is that the average computer user needs to use about two dozen different update tools to make sure all relevant security patches are applied!
For us, applying updates and security fixes is not an afterthought. We have developed the tools and processes to make applying software updates easy and secure.
Let me start with the tools for the desktop. There is just one applet that informs you about all new updates and allows you to review and apply them.
That is true for all applications that come from SUSE as part of your Enterprise Linux subscription. In most cases you don’t need to look for third party applications in the first place because SUSE Linux Enterprise Desktop comes complete with web browser, e-mail client and the LibreOffice productivity suite. In other words, batteries are included.
It is also true for all third party applications that are provided by a vendor or an open source community as RPM package repositories (which is the default for Enterprise Linux)! When you add third party repositories you decide once whether you want to trust them by accepting a cryptographic key. This key is used to sign packages, so their origin can be verified.
But not only the packages are signed. We’ve also made sure that the metadata of the package repositories is signed and protected by checksums. This prevents attackers from sneaking in original, outdated packages that have been replaced by a more secure update by the vendor.
As a bonus, the original packages from SUSE come with patch descriptions that describe in detail why and when an update should be applied, and, if applicable, which CVE vulnerability reports the patch addresses.
The same infrastructure is used if you prefer updating your system from the command line, using the zypper command.
One single tool that allows you to update individual systems in a consistent way. Why does that matter? Well, I’m sure you’ve asked yourself before whether that pop-up that asks you for your administrator password so that an update application you have never seen before can update one of the dozens of applications you have running is genuine or not? It’s next to impossible for end users to verify for each of the two dozen update tools they have to use on a Windows desktop that they are the real thing.
So all you can do is choose between not accepting that tool and risking that your system stays unpatched or accepting them and risking that you just gave a Trojan horse program administrator access to your system.
Now, if you’ve been using our operating systems in production you may not fully agree with me: Even SUSE Linux Enterprise is not the Holy Grail of patch management. Why? Because not all third party software uses the update stack we offer. So you may still have to patch some applications with their own tools or no tools at all.
So if you are a software vendor or part of an open source community project and you aren’t using the build service yet, give it a try: Those tools make it easy to consistently build packages your end users can trust and rely on!
Now what if your challenge isn’t patching a single Linux system, but hundreds, thousands, or tens of thousands of Linux systems? That’s when SUSE Manager comes into play. It allows centralized management of update repositories and patching of servers, so your whole enterprise IT stays secured and compliant. And yes it consistently ties into the same basic tools I’ve mentioned above (RPM repositories and our zypper software management).
This is Joachim Werner blogging live from SUSE in Nuremberg, where we have security in our DNA!