Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
T&I Consultancy Trust, Identity and Access Blogs UK Access Management Federation

Cyber Essentials: why keeping your Shibboleth IdP up to date is crucial

Unlocked padlock next to three locked padlocks with a background showing coding lines
Photo by Jack Moreh on Stockvault

A core aspect of Cyber Essentials is keeping your systems up to date. This is true both for operating systems and any installed apps or software, and these must always be kept updated.  

Applying these updates is one of the most important things you can do to improve security. It ensures that devices and software are not vulnerable to known security issues, for which fixes are available.  

This process is known as patching, or patch management. You can learn more about that here 

What does this mean for your organisation?  

Under this technical control theme, Cyber Essentials applicants must keep software up to date. And they must be able to show that the software is:  

  • licensed and supported  
  • removed from devices when no longer supported  
  • patched within 14 days of an update being released, where the patch fixes a vulnerability with a severity the product vendor describes as ‘critical’ or ‘high risk’ 

This includes your Shibboleth IdP; a piece of security software that manages the authentication of users.  

Why is Shibboleth such an important bit of software to update?  

Shibboleth is designed to securely authenticate users, grant access, and send information about those users, all over the open internet.  

Given that 81% of all breaches come from stolen or weak passwords, it stands to reason that an ‘authentication bypass’ from software vulnerabilities to the authentication service would be particularly bad.  

Even worse if you could have just updated the software itself to prevent this from occurring.  

Knowing when and what to patch  

With Shibboleth, you will need to consider how it applies to the configuration/usage of the application, rather than just blindly applying all available patches.  

For the purposes of the Cyber Essentials scheme, ‘critical’ or ‘high risk’ vulnerabilities are those with the following values: 

  • attack vector: network only 
  • attack complexity: low only 
  • privileges required: none only 
  • user interaction: none only 
  • exploit code maturity: functional or high 
  • report confidence: confirmed or high  

Many Shibboleth patches need only be applied (and only if) you are using X plug-in or application. So you may not need to install them all, but you do have to have a strategy for monitoring and implementing patches that are relevant for your configuration of the software.  

To ensure you are on top of security updates, you also need to consider how you update underlying applications or libraries that the Shibboleth IdP relies on, like Tomcat, Jetty and Java (Amazon Corretto), where that’s installed separately.  

How to keep an eye on security updates and patches 

So, you need to keep Shibboleth up to date as part of Cyber Essentials. But how do you know what patches or upgrades are available? Here’s a few helpful tools and tips:  

  • Check the Shibboleth Wiki – all the info you need about the latest software versions, patches and minor upgrade releases is available via this source  
  • Contact UK Federation Helpdesk – our dedicated team will be able to help you understand which version of Shibboleth you’re currently running, and advise on the latest version / patches to be aware of  
  • Call on Trust and Identity Consultancy Support – if you’ve not got the skills or resource to tackle this yourselves, you can also call on our Trust and Identity experts to help you out, whether it’s a one-off project or keeping retained expertise on hand, throughout the year  

We hope this has been a helpful read. If you have any additional queries about Cyber Essentials – please contact professional.cyberservices@jisc.ac.ukAnd for any additional queries about Shibboleth or UK Access Management Federation – please contact service@ukfederation.org.uk   

Leave a Reply

Your email address will not be published. Required fields are marked *