Show HN: Patchwork – Real-time notifications for OSS vulnerabilities (opens in new tab)

Hi halite!

1. We've got agents listening to incoming feeds, and did the work to ingest all the historical vulnerability data we could find.

2. We're focusing on apt installed packages for our initial release.

3 & 4. We haven't built out plugin support for scanning repos and ingesting from other tools. We're looking to get as much info as we can about what data you have to feed into us :), so we can figure out what'll work best!

5. The only machine metadata we're currently using is: hostname (this can be changed by setting the FRIENDLY_NAME environment variable), Operating System, Operating System Version, the tracking UUID for a package. The package data is: package and package version. We're aiming to keep the minimal subset of information we need to provide notifications :).

5. We're using Digital Ocean for our hosting (those guys rock!). Hosts are currently only in SF.

6. Our larger machine package sets are around 200-300kb.

7. How much volume?

Halite, feel free to ping me about the volume pricing! shamiq@patchworksecurity.com

Hi, our roadmap includes hooking into CI where your CI can ask our API Is the current project state vulnerable? yes) Here are a list of dependencies you need to update, run your test again no) Good, proceed with deploy

This is a little further down the roadmap, but is definitely something we want to do.

Hey, I’m David, the other co-founder of Patchwork Security. I was working on AppSec at Mozilla when Shellshock came out, then the next variant and the next. The OpSec team diligently followed new developments, but there had to be a better way than following a bunch of mailing-lists or watching HN for the next named vulnerability. Shamiq and I designed Patchwork to notify users of relevant packages in their infrastructure rather than the firehose approach reporting every new vulnerable package.

Let us know if you run into any problems.

Hi k33n,

Thanks for sharing what you learned. We will look into integrating with existing security tools.

In the meantime, we believe that providing a security notifications API to users is valuable.

Pakiti looks like an interesting tool. Development seems to have slowed down in 2013, but the feature set might have been stable by then. We'll definitely look into this. Thanks deadfece!

Great idea! We're looking to build out and extend a callback API so you can have it post data to whichever end point you want. Some integrations I've been toying with are: alerts in a slack channel, SMS notifications, push issues to git, get continuous integration to block unless it's 'ok', have it call my mom and have her yell at me till I patch my servers!

It's sort of interesting how you imply that individuals would use this service to exploit others. Can you not imagine situations where non-companies would want to use this for their own systems? And do you not think individuals would question the utility of a service that intentionally delayed notifying them of package vulnerabilities? We're not talking about embargoes here either, since Patchwork is scraping from publicly available upstream announcements.

Cool idea -- I'll go get the golf clubs!

We'd love to be at the point where Patchwork notifications are ahead of public releases, and get you patched before the vulnerability is widely exploited. In fact, one of the crazy ideas we've been kicking around is how to detect 0days without installing an agent on production machines.

I believe this issue is fixed now.

https://github.com/PatchworkSecurity/cleansweep/issues/8

Could you try running the script again?

Hi, can you tell me the version of curl you're running with

curl -V

Also send me an email at david@patchworksecurity.com and I'll get it working for you.

I like the response[1] to that issue by Kenton Varda on the sandstorm team. I think it's a well thought out piece.

[1] https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-p...

He addresses code signing and mitm and connection interruptions.

Edit: The gist of it is no, it's not more insecure than other software distribution methods.

Hi, we decided to make it easy to setup the tool and run it. The source code is available on GitHub

https://github.com/PatchworkSecurity/cleansweep/blob/master/...

The comments explain what is happening at each step.

Yeah telling us to blindly run a shell script is...a quirky design choice. At least it doesn't tell you to run it with sudo like I've seen some other ones do, and the shell script itself is sanely commented.

This comment breaks the HN guidelines. If you have a question or a criticism there is no reason why you can't express it respectfully. Please don't post any more comments like this.

Install via curl is also, by now, a classic flamewar topic with people who know what they're doing on both sides of the argument and well-trodden arguments all around. Please don't bring topics like that up with indignant denunciation as if you're the first person to encounter an outrage.

Hi,

We understand your concerns with the current install mechanisms. We're working toward providing multiple options similar similar to sandstorm.io

https://docs.sandstorm.io/en/latest/install/

There is the risk that we become a high value target. Would a solution that allows a user to query the state of a package/version instead of us storing package sets be acceptable? Or do you believe that SchizoDuckie's database approach to be the only way?

Hi, the shell script is an implementation of our API. You can implement your own client against our API endpoints. This gives you complete control of what package data you send to us. If you only care about OpenSSL, you can create a machine with only OpenSSL and we will notify you when that is out of date.

https://patchworksecurity.com/docs/

The current infrastructure segregates the user and machine data. A compromise of both machines would allow an attacker to recreate the mappings between users and their machines. We're hoping that this service will reduce the time your infrastructure is vulnerable because you know immediately when something goes out of date.

Lastly, we wanted to make it really simple for a user to get setup on our service which resulted in the curl | sh idiom. The source code for the script is on GitHub

https://github.com/PatchworkSecurity/cleansweep/blob/master/...

"It would be a much better design if it worked the other way around: Aggregate recent security patches into a database and send those to the servers, and have them do a local compare of vulnerabilities. You could charge for the database access and still keep your business model."

There is definitely value in having an aggregate database with recent security information. We agree that there are certain customers who would prefer / require an on-premise solution. Selling database access is something that we have considered, but haven't looked into deeply.

There is no restriction that the data must come from your local machine. You can integrate with our API to create a machine that has ``all'' packages for Ubuntu version X. We will then notify you when packages are outdated and you can act on that locally. Granted this still leaks the version of Ubuntu you are running, but we will have no insight into what each of your machines are actually running.

Thanks for raising these concerns.

What's the difference between downloading and executing a binary, installing a package (apt-get, pip, gem, etc), and curl | sh which makes the later so bad?