Show HN: Patchwork – Real-time notifications for OSS vulnerabilities
patchworksecurity.comHi, we're currently looking for such tool. Here are some questions that would be helpful for us:
How do you manage vulnerabilities database?
Do you've a list of OSS that this tool covers? Does it integrate with existing scanning tools like Nexpose (http://www.rapid7.com/products/nexpose/).
Can it scan code repositories?
What information does it capture from the machine? Where is the data center located?
What do you anticipate the bandwidth consumption would be like for this tool?
Any volume discounts?
edit: formatting.
Hi halite!
1. We've got agents listening to incoming feeds, and did the work to ingest all the historical vulnerability data we could find.
2. We're focusing on apt installed packages for our initial release.
3 & 4. We haven't built out plugin support for scanning repos and ingesting from other tools. We're looking to get as much info as we can about what data you have to feed into us :), so we can figure out what'll work best!
5. The only machine metadata we're currently using is: hostname (this can be changed by setting the FRIENDLY_NAME environment variable), Operating System, Operating System Version, the tracking UUID for a package. The package data is: package and package version. We're aiming to keep the minimal subset of information we need to provide notifications :).
5. We're using Digital Ocean for our hosting (those guys rock!). Hosts are currently only in SF.
6. Our larger machine package sets are around 200-300kb.
7. How much volume?
Since you're only doing apt installed packages, couldn't you just mail yourself a list of ubuntu security updates for a machine using apt and have the same result?
Hi mmaunder, e-mail notifications are our current callback mechanism but that will expand. The goal of our API is to allow you to consume the vulnerability data in a way that is more beneficial to you e.g Slack, CI. You could have a workflow where a new build is spun up on callback, packages updated, tests run and deployed
Apt is our starting point but we will expand into things like libraries and Ruby gems.
> 7. How much volume?
I think what I'm more interested in understanding is how is license enforced? Our team is responsible for facilitation of pilots and this I can see useful for those machine but these come and go every few months.
Sure thing! The service pivots around machines as it's core pilar. On a more fundamental level, we consider a machine to be the set of unique packages tracked together. So for your case, you'd spin up a pilot, run the script, then post the data to us. Since it's a new machine, we'll issue it a UUID, and track billing against that UUID. If you change the packages on a machine? That's a-okay! We'll use the same UUID, and bill accordingly :). When it's time to sunset a machine, use our soon to be released API to remove it, and billing stops!
To be totally honest, we're still working out all the wrinkles of how billing would work, what's fair to users, and how to track your usage, so feedback is greatly appreciated!
Halite, feel free to ping me about the volume pricing! shamiq@patchworksecurity.com
This would be a cool service to integrate with github badges, next to test coverage and build status. e.g. "2 UNPATCHED VULNERABILITIES" or "VULNERABILITY ASSESSMENT PASSED"
It should be simple enough to intersect the list of a project's dependencies with a list of libraries with known vulnerabilities.
If you provided this as a free service, you'd get a bunch of free advertising from the github badges, like travis-CI. :)
Hi, our roadmap includes hooking into CI where your CI can ask our API Is the current project state vulnerable? yes) Here are a list of dependencies you need to update, run your test again no) Good, proceed with deploy
This is a little further down the roadmap, but is definitely something we want to do.
Hi all! I’m Shamiq, ex-Matasano and co-founder of Patchwork Security. David and I built Patchwork as a devops tool to help manage Open Source Vulnerabilities. We want to drive the time between an available fix and patched infrastructure to zero. We’d love for you to try it out, and let us know what you think!
We’ll be here all day answering comments or you can reach us at shamiq@patchworksecurity.com or david@patchworksecurity.com.
Hey, I’m David, the other co-founder of Patchwork Security. I was working on AppSec at Mozilla when Shellshock came out, then the next variant and the next. The OpSec team diligently followed new developments, but there had to be a better way than following a bunch of mailing-lists or watching HN for the next named vulnerability. Shamiq and I designed Patchwork to notify users of relevant packages in their infrastructure rather than the firehose approach reporting every new vulnerable package.
Let us know if you run into any problems.
Launched something very similar last year and learned that integrations with existing security scanning tools was more important than building our own from scratch. We actually open sourced our linux agent (https://github.com/NoSprawl/LinuxAgent) and a few other little nuggets, but never announced anything.
Hi k33n,
Thanks for sharing what you learned. We will look into integrating with existing security tools.
In the meantime, we believe that providing a security notifications API to users is valuable.
Best of luck to you!
Pakiti (http://pakiti.sourceforge.net/) is another useful tool in this space.
Pakiti looks like an interesting tool. Development seems to have slowed down in 2013, but the feature set might have been stable by then. We'll definitely look into this. Thanks deadfece!
There appears to be some recent development on https://github.com/CESNET/pakiti3
Awesome. Can we hook into this to send updates to Slack instead?
Great idea! We're looking to build out and extend a callback API so you can have it post data to whichever end point you want. Some integrations I've been toying with are: alerts in a slack channel, SMS notifications, push issues to git, get continuous integration to block unless it's 'ok', have it call my mom and have her yell at me till I patch my servers!
You should make this service free for individuals (hackers) and charge companies.
Companies which pay for the service will be notified of the vulnerability before hackers.
Basically you foster a community of hackers while at the same time charging companies protection money from your own hackers.
It's sort of interesting how you imply that individuals would use this service to exploit others. Can you not imagine situations where non-companies would want to use this for their own systems? And do you not think individuals would question the utility of a service that intentionally delayed notifying them of package vulnerabilities? We're not talking about embargoes here either, since Patchwork is scraping from publicly available upstream announcements.
Cool idea -- I'll go get the golf clubs!
We'd love to be at the point where Patchwork notifications are ahead of public releases, and get you patched before the vulnerability is widely exploited. In fact, one of the crazy ideas we've been kicking around is how to detect 0days without installing an agent on production machines.
Doesn't work on my ubuntu machine:
curl -L https://git.io/cleansweep | sh
sh: 94: curl: Argument list too longI believe this issue is fixed now.
https://github.com/PatchworkSecurity/cleansweep/issues/8
Could you try running the script again?
Hi, can you tell me the version of curl you're running with
curl -V
Also send me an email at david@patchworksecurity.com and I'll get it working for you.
Sorry to be snide, but seriously?
curl -L https://git.io/cleansweep | sh
[edit] I still think it's a great idea, though [/edit]
I like the response[1] to that issue by Kenton Varda on the sandstorm team. I think it's a well thought out piece.
[1] https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-p...
He addresses code signing and mitm and connection interruptions.
Edit: The gist of it is no, it's not more insecure than other software distribution methods.
Hi, we decided to make it easy to setup the tool and run it. The source code is available on GitHub
https://github.com/PatchworkSecurity/cleansweep/blob/master/...
The comments explain what is happening at each step.
Would you bet you live on the assumptionthat there is no way a network problem could truncate the script into something, that does something unintended but harmful?
That problem is easily avoided by wrapping the whole script in a function and then calling it on the last line.
It looks like Patchwork's script doesn't quite do that, but it does put _most_ of its functionality into functions, and AFAICT there is no particular place in the script where a connection loss could lead to anything bad happening. Admittedly this appears to be a lucky accident rather than following best practice.
Hi DoubleMalt,
Thanks for the link. I've filed an issue and should have this fixed tonight
Yeah telling us to blindly run a shell script is...a quirky design choice. At least it doesn't tell you to run it with sudo like I've seen some other ones do, and the shell script itself is sanely commented.
If the script source is on github and isn't run under sudo, is there a meaningful difference between curl | sh and apt-get install from a PPA, gem/pip install, etc?
Meaningful? In most cases no, but since we're already talking about security, curl'ing the shell script from github exposes you to another attack vector, like MITM'ing the script.
The software has to be distributed somehow, right? Probably over https? What makes curl more susceptible to MITM than apt-get/pip/gem/etc?
I don't particularly like curl | sh either, but without sudo, I'm not sure how much it /really/ differs, security wise, from other options.
Edit: real package managers have improved features compared to curl, as outlined in another branch of the comments.
If you want to be extra cautious you can verify that the script hasn't changed with our release key
https://patchworksecurity.com/releases.txt
The latest release (2.0.0) has been signed by my key 0x85C64E20
Looked at the site and read the comments which made me think about the HN post yesterday about hiding vulnerabilities in plain site (https://news.ycombinator.com/item?id=10889721). Like your idea though.
Hi yaworsk,
We're working on improving our API documentation. You can develop against our API and not use the supplied client.
Oh nice! that's a great idea, thanks for sharing
is this a joke?
Piping random shit off the web straight into a shell. Sounds like worst advise. I'm sure the maintainers of this site really know their stuff when it comes to security.
A malicious attacker will love breaking this site and find out who uses which versions.
This comment breaks the HN guidelines. If you have a question or a criticism there is no reason why you can't express it respectfully. Please don't post any more comments like this.
Install via curl is also, by now, a classic flamewar topic with people who know what they're doing on both sides of the argument and well-trodden arguments all around. Please don't bring topics like that up with indignant denunciation as if you're the first person to encounter an outrage.
Hi,
We understand your concerns with the current install mechanisms. We're working toward providing multiple options similar similar to sandstorm.io
https://docs.sandstorm.io/en/latest/install/
There is the risk that we become a high value target. Would a solution that allows a user to query the state of a package/version instead of us storing package sets be acceptable? Or do you believe that SchizoDuckie's database approach to be the only way?
This just sounds like a bad idea to me. Why would you publish all this very sensitive machine info to a third party to retrieve that list? This would be a goldmine if they got hacked.
Also, don't tell your users to blindly pipe curl to sh, ever.
It would be a much better design if it worked the other way around: Aggregate recent security patches into a database and send those to the servers, and have them do a local compare of vulnerabilities. You could charge for the database access and still keep your business model.
Hi, the shell script is an implementation of our API. You can implement your own client against our API endpoints. This gives you complete control of what package data you send to us. If you only care about OpenSSL, you can create a machine with only OpenSSL and we will notify you when that is out of date.
https://patchworksecurity.com/docs/
The current infrastructure segregates the user and machine data. A compromise of both machines would allow an attacker to recreate the mappings between users and their machines. We're hoping that this service will reduce the time your infrastructure is vulnerable because you know immediately when something goes out of date.
Lastly, we wanted to make it really simple for a user to get setup on our service which resulted in the curl | sh idiom. The source code for the script is on GitHub
https://github.com/PatchworkSecurity/cleansweep/blob/master/...
"It would be a much better design if it worked the other way around: Aggregate recent security patches into a database and send those to the servers, and have them do a local compare of vulnerabilities. You could charge for the database access and still keep your business model."
There is definitely value in having an aggregate database with recent security information. We agree that there are certain customers who would prefer / require an on-premise solution. Selling database access is something that we have considered, but haven't looked into deeply.
There is no restriction that the data must come from your local machine. You can integrate with our API to create a machine that has ``all'' packages for Ubuntu version X. We will then notify you when packages are outdated and you can act on that locally. Granted this still leaks the version of Ubuntu you are running, but we will have no insight into what each of your machines are actually running.
Thanks for raising these concerns.
What's the difference between downloading and executing a binary, installing a package (apt-get, pip, gem, etc), and curl | sh which makes the later so bad?
A package is downloaded completely from the net, then checked for it's signature. A network transmission is by orders of magnitude less safe with regards to corruption of the payload.
This article sums it up better than i can do. http://www.seancassidy.me/dont-pipe-to-your-shell.html
Thanks, this makes sense!