5.1.1.4 Process to record and react to the availability of new security updates based on a risk-benefit assessment
The repository shall have a process to record and react to the availability of new security updates based on a risk-benefit assessment.
This is necessary in order to protect the integrity of the archival objects from unauthorized changes or deletions.
Risk register (list of all patches available and risk documentation analysis); evidence of update processes (e.g., server update manager daemon); documentation related to the update installations.
Decisions to apply security updates are likely to be the outcome of a risk-benefit assessment; security patches are frequently responsible for upsetting alternative aspects of system functionality or performance. It may not be necessary for a repository to implement all software patches, and the application of any must be carefully considered. Each security update implemented by the repository must be documented with details about how it is completed; both automated and manual updates are acceptable. Significant security updates might pertain to software other than core operating systems, such as database applications and Web servers, and these should also be documented. Security updates are not limited to software security updates. Updates to actual hardware or to the hardware system’s firmware are included. Over time it is likely that security updates will also be needed for the repository processes and for its physical security. Although security updates can be considered as a part of the change control, they are identified separately here because there are often outside services that compile and circulate information on security issues and updates. At a minimum, repositories should be monitoring these services to ensure that repository-held data is not subject to compromise by identified threats.
Tracking and identifying changes for security updates happens in multiple ways for APTrust.
As part of the shared model with AWS, APTrust is informed by AWS via email and through the events console about any impending patches or updates to the infrastructure. The notices include significant data on the impacts of the changes when implemented. As discussed 5.1.1, by migrating to containers, all security updates for the hosting systems have been handed off to AWS.
Containers that hold the software are APTrust’s responsibility, and have checks run on the repos by tools such as Dependabot, and Snyk, via the Docker subscription. These tools can be added to the pipelines themselves.
Wasabi, like AWS, is responsible for the patching and upgrading of the host systems underlying the storage.
All software updates and changes are vetted by the APTrust technical team in a test environment, and tracked in the Trello ticketing system.
Create updated documentation for this. Task in Trello. The reference.