MinSec Check: Applications: Patching

[akkornel]

In MinSec for Applications, the Patching item has the following:

Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 days. Use a supported version of the application.

For Globus Connect Personal, Globus automatically enables checking for software updates, and updates are applied in the same way as most other endpoint apps: You are notified of an update, which (when you click a button) Globus downloads and installs. So, it should be enough to tell users to leave the "Check for updates" box checked.

For Globus Connect Server, Globus maintains package repositories for all supported Linux distributions (see https://docs.globus.org/globus-connect-server-installation-guide/#supported_linux_distributions). As long as sysadmins use these repositories, their regular server patching process will automatically pull in any available Globus updates. Also, when sysadmins run the globus-connect-server-setup, an immediate check is performed, and if the software has an update available, the command will not run. You can see this implemented in code here: https://github.com/globus/globus-connect-server/blob/master/source/globus/connect/server/__init__.py#L235

So, two content items to address this:

• Clients should leave the "Check for Updates" box checked.
• Servers should use the repo, and regularly update.