Security & Compliance Overview
The Security & Compliance features of the ActiveState Platform enable you to identify out-of-date or insecure components (packages and modules) running in your environment. The method used by Security & Compliance – scanning components at load time for security, licensing, and open source health/quality issues – is known as in-parser Module Security and Compliance. It is particularly valuable for security issues which are discovered over time. A component may go into production with no known vulnerabilities and present a wide open backdoor some years later when vulnerabilities are discovered.
For example, all Django versions before 1.4.11 were vulnerable to CVE-2014-0474. Anyone who did a careful security review of Django 1.4.10 and deployed their code secure in the belief that there were “no vulnerabilities” was wide open in the future unless they continued to run some kind of ongoing scanning in their production environment. Most organizations do not do this because it requires constant, often labor intensive, maintenance work.
Security & Compliance automates this process, eliminating uncertainty about which components contain security issues and vulnerabilities, and in turn which applications are vulnerable.
For information on getting started with Security & Compliance, see the ActiveState Platform Quick Start Guide.
How Security & Compliance works
When each Python component is loaded by the Security & Compliance plugin interpreter a file is opened and its contents are read. Security & Compliance scans the files loaded by the interpreter for existing or newly discovered security vulnerabilities, outdated or “risky” components, license violations, and stale or dated open source software. The ActivePython interpreter with the Security & Compliance plugin is “scan only” functionality. Components will never be prevented from running, but the service it is attached to will notify an administrator regarding any problems in the ActiveState Platform.
Security & Compliance collects metadata about your ActivePython applications and scripts, such as package names, package licenses, version numbers, which aids in the identification of compromised, out of date, or potentially vulnerable software. No private, personal or other enterprise data is being collected. No programming code or binaries will be transmitted from your application.
Python applications running with ActivePython will periodically send data to the ActiveState Platform. Data is sent on startup of the application, and subsequently each time a new component is loaded into the interpreter.