This topic provides effective and reliable solutions to software vulnerabilities.
Procedure for fixing software vulnerabilities
Expertise on software security is required to fix software vulnerabilities on your servers. You must perform the following steps to fix software vulnerabilities:
Before the fix
- Check all assets on the server and log on to Security Center to check the vulnerabilities on the server.
- Determine the vulnerabilities that need to be fixed. You can fix vulnerabilities at separate times based on your business requirements. For example, you can select vulnerabilities to be fixed based on the business status, server resource usage, and impacts caused by vulnerability fixes.
- Upload vulnerability patches to the staging environment, test the compatibility and security of these patches, and then generate a test report. A test report must include the vulnerability fix result, fix duration, patch compatibility, and impacts caused by the vulnerability fix.
- Use the backup and recovery system to back up the data on the server in case of exceptions. For example, you can use the snapshot feature of ECS to create a snapshot of the ECS instance.
During the fix
- Upload vulnerability patches to the server and use the patches to fix vulnerabilities. This task requires a minimum of two administrators. One administrator is responsible for vulnerability fixes and the other one is responsible for recording the operations. Exercise caution when you fix vulnerabilities.
- Follow the system vulnerability list to upgrade the system and fix vulnerabilities.
After the fix
- Validate the vulnerability fixes on the server. Make sure that the vulnerabilities are fixed and that no exception occurs on the server.
- Generate a vulnerability fix report based on the entire vulnerability fix process and archive the relevant documents.
Risk prevention
To make sure that the server runs properly during the vulnerability fix process and minimize the possibility of exceptions, perform the following operations:
- Develop a vulnerability fix plan
Research the operating system and applications of the server and develop an applicable plan. The feasibility of the plan must be discussed and verified in a staging environment. Make sure all operations in the vulnerability fix plan are performed and do not have negative impacts on the server.
- Test the vulnerability fix plan
You must use a staging environment to verify the feasibility of your vulnerability fix plan. Make sure that the plan does not have negative impacts on the online business system to be fixed.
Requirements for the staging environment:
- The operating system and database system in the staging environment must be the same as those in the online business system.
- The application system in the staging environment must be the same as that in the online business system.
- We recommend that you use the last full backup of the online business system as the test data.
- Back up the business system
Back up the entire business system, including the operating system, applications, and data. Then, check whether the backup data can be used to restore the system. If your system encounters an error or data loss, the system backup is used to restore the system. This ensures business stability. We recommend that you allow Security Center to automatically create snapshots to quickly back up your business system before you fix vulnerabilities.
Note Security Center automatically creates a system snapshot of your server only if the vulnerability to be fixed is a Linux software vulnerability or a Windows system vulnerability.
References
How often does Security Center detect vulnerabilities?
What are the differences between baselines and vulnerabilities?
What do I do if I cannot enable the vulnerability detection feature for a server on the Assets page?