Categories
T&I Consultancy Trust, Identity and Access Blogs UK Access Management Federation

Cyber Essentials: why keeping your Shibboleth IdP up to date is crucial

Unlocked padlock next to three locked padlocks with a background showing coding lines
Photo by Jack Moreh on Stockvault

A core aspect of Cyber Essentials is keeping your systems up to date. This is true both for operating systems and any installed apps or software, and these must always be kept updated.  

Applying these updates is one of the most important things you can do to improve security. It ensures that devices and software are not vulnerable to known security issues, for which fixes are available.  

This process is known as patching, or patch management. You can learn more about that here 

What does this mean for your organisation?  

Under this technical control theme, Cyber Essentials applicants must keep software up to date. And they must be able to show that the software is:  

  • licensed and supported  
  • removed from devices when no longer supported  
  • patched within 14 days of an update being released, where the patch fixes a vulnerability with a severity the product vendor describes as ‘critical’ or ‘high risk’ 

This includes your Shibboleth IdP; a piece of security software that manages the authentication of users.  

Why is Shibboleth such an important bit of software to update?  

Shibboleth is designed to securely authenticate users, grant access, and send information about those users, all over the open internet.  

Given that 81% of all breaches come from stolen or weak passwords, it stands to reason that an ‘authentication bypass’ from software vulnerabilities to the authentication service would be particularly bad.  

Even worse if you could have just updated the software itself to prevent this from occurring.  

Knowing when and what to patch  

With Shibboleth, you will need to consider how it applies to the configuration/usage of the application, rather than just blindly applying all available patches.  

For the purposes of the Cyber Essentials scheme, ‘critical’ or ‘high risk’ vulnerabilities are those with the following values: 

  • attack vector: network only 
  • attack complexity: low only 
  • privileges required: none only 
  • user interaction: none only 
  • exploit code maturity: functional or high 
  • report confidence: confirmed or high  

Many Shibboleth patches need only be applied (and only if) you are using X plug-in or application. So you may not need to install them all, but you do have to have a strategy for monitoring and implementing patches that are relevant for your configuration of the software.  

To ensure you are on top of security updates, you also need to consider how you update underlying applications or libraries that the Shibboleth IdP relies on, like Tomcat, Jetty and Java (Amazon Corretto), where that’s installed separately.  

How to keep an eye on security updates and patches 

So, you need to keep Shibboleth up to date as part of Cyber Essentials. But how do you know what patches or upgrades are available? Here’s a few helpful tools and tips:  

  • Check the Shibboleth Wiki – all the info you need about the latest software versions, patches and minor upgrade releases is available via this source  
  • Contact UK Federation Helpdesk – our dedicated team will be able to help you understand which version of Shibboleth you’re currently running, and advise on the latest version / patches to be aware of  
  • Call on Trust and Identity Consultancy Support – if you’ve not got the skills or resource to tackle this yourselves, you can also call on our Trust and Identity experts to help you out, whether it’s a one-off project or keeping retained expertise on hand, throughout the year  

We hope this has been a helpful read. If you have any additional queries about Cyber Essentials – please contact professional.cyberservices@jisc.ac.ukAnd for any additional queries about Shibboleth or UK Access Management Federation – please contact service@ukfederation.org.uk   

Leave a Reply

Your email address will not be published.