Our latest service release is the third release this year, and like the previous two, it focuses on hardening and improving the resilience of the Orion® Platform.
Our work so far this year has been a product of our Secure by Design program, crafted to address the emerging threat landscape.
2020.2.4 was released in January 2021, and together with the new digital code-signing certificate provided all necessary security fixes for SUPERNOVA and SUNBURST, originally released in 2020.2.1 HF 2 (released December 15, 2020).
2020.2.5 followed in March 2021 and included a cumulative set of security improvements for the platform and for individual products, as well as some dashboarding improvements.
This current 2020.2.6 service release includes fixes for CVEs listed for the platform and for specific products in the Release Notes. There’s also broad hardening work designed to improve the resilience of your Orion Platform deployment and to help keep you and your data safe.
Collectively, these three releases prioritized security and hardening, and reflect the investment we’re making in evolving towards a Secure by Design culture.
In addition to the changes in the product build process outlined on the Secure by Design resources page, the software development teams have focused in multiple areas of the product to proactively harden the Orion Platform. Some of those areas include:
We improved the internal handling of user credentials and certificates, and the operations users are authorized to perform based upon their role or identity. The scope of our work covers the Orion Platform and multiple Orion Platform product modules and helps to correctly limit views of management data to individuals authorized to access it.
Improving our handling of authorization helps give customers the confidence to surface the right data to the right user, and manage risks associated with credential provisioning.
Cross-site scripting (XSS) attacks the integrity of a user’s connection with the Orion Platform and can result in the injection of malicious code designed to execute on either the client browser, or on the server. We addressed the specific mechanisms designed to mitigate the risks of XSS, spanning the Orion Platform, and multiple of its modules.
Focusing on improvements to help secure the user’s connection is designed to provide the confidence to distribute information appropriately to users across the company.
Our data validation work focused in several areas. We addressed improvements in how data inputs are handled to ensure their integrity, and to maintain their integrity as they are stored or retrieved from the database. We also focused on improving protections for the integrity of data from malicious or inadvertent injection attacks on the database.
Improving data validation helps administrators to be confident that the data stored in the system is accurate and helps reduce the risks of data corruption – malicious or inadvertent.
Securing data in motion can include communications over the network and communications between processes on a server. We focused on improving the security of data communicated internally, or externally from the Orion Platform.
Securing data in motion supports data validation by reducing the risks of data leakage or tampering as processes share data.
Third-party code packages are used for some standard, commodity functions to help improve the efficiency and consistency of common operations needed in multiple areas of our code. Our focus in this area was to examine and mitigate potential issues.
Examining these third-party packages and mitigating issues as identified helps gives our user confidence we’ve made appropriate use of shared, common functions we closely audit for secure implementation.
Application Programming Interfaces (APIs) provide controlled programmatic access to data, and they require authentication and authorization to provide access. We’ve added resiliency and enforced strict controls on both internal APIs and those exposed externally for integration.
By hardening these interfaces, we can continue to confidently expose them—and expand their functionality to support flexible integrations—while constantly working to make them even more resilient.
A denial-of-service attack compromises the ability of a tool to properly function, and to respond to the user. Here, our hardening efforts also focused on resiliency and improving the Orion Platform’s responsiveness under this type of attack.
By supporting the overall resilience of the Orion Platform, we help mitigate the impact of these types of direct attacks.
With the delivery of these three service releases, you can expect to see CVEs called out explicitly in our release notes, and we’ll continue to identify opportunities to improve security and harden the product.
You can also expect us to update our “What We’re Working On” roadmap postings with information about new product features in progress. We’ll shift towards balancing the delivery of new product features within the framework of our Secure by Design process and continue to deliver security improvements in our ongoing releases.
The Server & Application Monitor and Virtualization Manager products are both releasing new features; follow the links to learn more about those. The Orion Platform also includes some improvements that benefit all Orion Platform users—check those out at the links above.
As usual, this service release is available immediately in your Customer Portal.