Third-party Security Ratings and Backporting

Updated -

Business and government entities now utilize Third-party Security Rating services to measure the security posture of their own organizations as well as their existing and prospective partners. There are a number of organizations in the security rating industry that are named as supportive of the Principles for Fair and Accurate Security Ratings. Many of these organizations describe their processes as passive and unobtrusive measurements using patented and proprietary processes to accurately measure and assess a third party's security posture. However, to date, we have yet to find a single third-party rating organization that has incorporated the common Open Source Security Backporting Practices into their methodology for measuring the patch level and integrity of systems running Red Hat Enterprise Linux.

Security rating organizations that don't address backporting issues often wrongly assume that Red Hat Enterprise Linux is unpatched, resulting in security scores about an organization that are lower than what they should be. These incorrect scores can damage an organization’s reputation. Or worse, they can lead to lost business.

Where there has been an opportunity presented for communication, Red Hat strongly encourages third-party security rating services to go beyond simply using banner fields (which can be modified to identify the server type) as a means to determine if a system is vulnerable or has been patched for certain Common Vulnerabilities and Exposures (CVEs). Like many vendors in the industry, Red Hat openly and publicly provides detailed information about bugs and security vulnerabilities that are fixed within our products. This data is freely shared through multiple venues so that our customers have the ability to clearly and accurately understand the effects and scope of vulnerabilities that could impact their business operations. Further, Red Hat takes every opportunity to work with these organizations and implores them to appropriately test and validate their findings against Red Hat products and services to ensure accuracy in their findings.

How to Verify
If you receive a security ratings report where Red Hat Enterprise Linux systems have been reported as unpatched, we encourage you to do the following:

  • Determine your level of patch compliance using tools such as Red Hat Satellite, Red Hat Insights and the Red Hat Customer Portal, which can help determine the patching posture of your infrastructure.
  • Specifically, look at the versions of packages installed on your systems, and confirm on whether they are the latest version available. One way to do this is to use the options provided within yum to display information about security-relevant packages of the supplied severity_level. If you are unsure, contact your Red Hat support representative.
  • Additionally, Red Hat openly and publicly provides access to product security data - including an API, to help customers and researchers with security measurement.

Once you have examined and validated the security patches of your own infrastructure, look for contextual supporting evidence in the report that shows how this data was collected or validated. If no data exists—or the data is insufficient—ask the security ratings vendor to provide a copy of their methodology showing how they scanned, analyzed, and arrived at their conclusions.

A well-defined patch management process is an important part of any information security program. A thorough review of current patching timelines and the release of updates for non-critical applications should be a quarterly exercise. Red Hat continues to be open and transparent about its security backporting processes and encourages all organizations—especially those offering third-party security ratings—to provide transparently verifiable data, including backported security patches.

Additional Links: