Getting started with Zeridian

Overview

Zeridian is designed to make users aware of when they are running out-dated or insecure modules. The method used by Zeridian – scanning modules at load time for security, licensing, and open source health/quality issues is known as in-parser Module Security Scanning. It is particularly valuable for security issues which are discovered over time. A module may go into production with no known vulnerabilities and present a wide open backdoor some years later when vulnerabilities are discovered.

For example, all Django versions before 1.4.11 were vulnerable to CVE-2014-0474. Anyone who did careful security scanning of Django 1.4.10 and then deployed their code secure in the belief that there were “no vulnerabilities” was wide open in the future unless they continued to run some kind of ongoing scanning in their production environment. Most organizations do not do this, and it requires constant maintenance work if they do.

Zeridian Security and Compliance automates this process, eliminating uncertainty about which modules contain security issues and vulnerabilities, and in turn which applications are vulnerable.

How Zeridian works

When each Python module is loaded by the ActivePython interpreter a file is opened and its contents are read. Zeridian scans these files loaded by the interpreter for existing or newly discovered security vulnerabilities, outdated or “risky” modules, license violations, and/or stale/dated open source software (e.g. health/quality). The ActivePython interpreter with the Zeridian plugin is by design “scan only” functionality. Modules will never be prevented from running, but the service it is attached to will notify an administrator regarding any problems in the Zeridian web application.

Zeridian collects metadata about your ActivePython builds, such as package names, package licenses, version numbers, and so on, which aid in the identification of compromised, out of date, or potentially vulnerable software. No private, personal or other enterprise data is being collected. No programming code or binaries will be transmitted from your application.

Python applications running with ActivePython will periodically send data to Zeridian. Data is sent on startup of the application, and subsequently each time a new package/module is loaded into the interpreter.

Zeridian platform configuration

When you log in to Zeridian, you log in to a particular Organization and you are only able to see information associated with that organization. The organization you belong to is displayed at the top of the navigation menu.

Identities are the grouping mechanism for each organization in Zeridian. You can define identities as broadly or narrowly as you choose. You could create a separate identity or each user running ActivePython applications, for each ActivePython application regardless of who is running it, or identities for particular organizational units or the organization as a whole. By default, one identity is created for your beta account but you can create additional identities as required.

Zeridian uses a simple configuration file, named zeridian.config, to associate each Zeridian interpreter instance with an identity. The identity value is listed in the configuration file as a unique identifier. You can place the configuration file in different directories according to your desired configuration:

  • System: You can put the configuration file in a system directory (i.e. /etc on Linux/macOS) to associate an identity all interpreters running on the system regardless of user.
  • User: You can put the configuration file in a user home directory (i.e. ~/ on Linux/macOS) to associate an identity with a particular user.
  • Workspace: You can put the configuration in the workspace directory/current working directory for an ActivePython application to associate an identity with the application.
  • Environment variable: You can put the configuration in an arbitrary location and reference it by creating and using the ZERIDIAN_CONFIG environment variable.

Customizing the date and time display for Zeridian

You can change the way dates and times are displayed in the Zeridian web application and the timezone that is used.

  1. Click menu at the top right of the page that displays your email, and select Preferences.
  2. Select the date/time format to use.
  3. Select the time zone to use from the drop-down list.
  4. Click Submit to save your changes.

Viewing the Dashboard

The Zeridian Dashboard provides an overview of the security of the ActivePython applications in use in your organization. It displays summary information for your organization:

  • Warnings: A color-coded list of component warnings (high=red, medium=yellow, low=green)
  • Identities: A list of identities being tracked for your organization. Identities with the most recent activity are listed first.
  • Components: An alphabetical list of the components identified for your organization.
  • Recent activity: A list of all recent actions that have occurred (e.g. session start, session end, scan submitted, scan returned, new vulnerability identified).

Viewing Warning details

You can view all of the current warnings identified for your organization. A warning is generated for each software package where one or more vulnerabilities is identified. Vulnerabilities are identified by matching the particular version of the software package with known vulnerabilities listed in the Common Vulnerabilities and Exposures (CVE) List.

Warnings are categorized by the severity of the vulnerability:

  • High
  • Medium
  • Low
  1. Open your web browser and navigate to http://zeridian-beta.activestate.com and sign in.
  2. Click the Warnings link in the navigation bar.
  3. Review the information listed for the warnings. Each warning includes the following information:
    • Component: The name and version of the software package identified as containing a vulnerability. You can click on the software package link to view additional information about the package including the package homepage, the latest version and its release date, and a list of identities that use the vulnerable package.
    • Identity: The Zeridian identity name, the instance of the interpreter running the Zeridian plug in, the vulnerable software package is running on.
    • Issue: The CVE identifier associated with the vulnerability. The CVE identifier is a unique, common identifier for a publicly known information-security vulnerability in a publicly available software package.
    • Identified on: Lists the date the vulnerability was first identified by a scan of the software package by Zeridian.
    • Description: The description for the CVE entry, which provides details about the vulnerability.
  4. In general, you need to update the component to the latest version, or at least a version where the specific vulnerability is fixed, to resolve the warning.

Viewing Identity details

Use the Identities page to view detailed information about individual identities in your organization. This page provides a quick way to see where vulnerabilities have been identified, and find out more information.

  1. Open your web browser and navigate to http://zeridian-beta.activestate.com and sign in.
  2. Click the Identities link in the navigation bar.
  3. An identities table is displayed listing detailed information for each identity:
    • Identity: The identity name and the unique identifier for the identity.
    • Sessions: Lists active/inactive sessions, and the date and time for the most recent active session.
    • Recent session: The date and time of the most recent session.
    • Warnings: The number of high, medium, and low warnings identified.
    • Recent scan: The date and time of the most recent scan.
    • Components recognized: The number of components (packages or modules) successfully identified by the scan, followed by the total number of components scanned.
  4. Click on the Identity name in the first column to view more details for an individual identity, such as the list of components and details for any warning associated with the identity.

Adding Identities

When your account is created, you are automatically assigned one identity. You can create additional identities as needed.

  1. Open your web browser and navigate to http://zeridian-beta.activestate.com and sign in.
  2. Click the Identities link in the navigation bar.
  3. Scroll to the bottom of the page.
  4. Enter the name of the new identity and click Submit.
  5. Click on the new entry in the Identities list to see the details for the identity. You need to copy the Identity ID to at least one zeridian.config file to use the identity to track Zeridian scan information.

Viewing Component details

When a component, a Python module or package, is scanned by Zeridian under any identity it is added to the Components page. If vulnerabilities are identified it is added to the “With Warnings” section, otherwise it’s added to the “Without Warnings” section.

The With Warnings section lists the component name and version, and the number of high, medium, and low vulnerabilities identified for the component. You can click the component name to view detailed information about the component, such as the latest version and where to find it, the details for the warning, and the identities the component has been found in.

  1. Open your web browser and navigate to http://zeridian-beta.activestate.com and sign in.
  2. Click the Components link in the navigation bar.
  3. Review the components listed on the page, and click the component name to view details for any individual component.

Signing out

  1. Click menu at the top right of the page that displays your email, and select Sign Out.

Your account is signed out, and your browser is redirected to the login page.