1.5.1. Security and Hardening
This section outlines best practices for secure deployment of applications built with the Proximie SDK.
Every release of the Proximie SDK, along with its dependencies, is scanned for known security vulnerabilities. This is achieved by the automated generation of a Docker image containing the SDK and its dependencies, which is then uploaded to Amazon ECR, where it is scanned by AWS Inspector’s enhanced scanning.
1.5.1.1. Known SDK Dependency Vulnerabilities
Several dependencies of the Proximie SDK have known vulnerabilities. For the most part, these vulnerabilities are not exposed by use of the Proximie SDK; many relate to GStreamer plugins that the SDK does not use, for example. However, for the purposes of compliance and certification, the easiest approach is to ensure that your application environment does not include vulnerable versions of these dependencies.
Addressing Vulnerable Dependencies
We strongly recommend the use of Ubuntu Pro’s ESM (Extended Security Maintenance) repositories for your application environment. Ubuntu Pro provides security updates for a wide range of packages, including those with known vulnerabilities in the Proximie SDK dependency tree.
After enabling Ubuntu Pro ESM within our docker images, AWS Inspector enhanced scanning reports no known vulnerabilities in the Proximie SDK and its dependencies.
A Dockerfile and script are provided in the Proximie SDK release (see the
px-core/examples/environment/docker/hardening directory) that demonstrate how to enable Ubuntu
Pro and install ESM packages. You will need to sign up for an Ubuntu Pro account and obtain a token
to use this service; see the Ubuntu Pro website for more information.
Broadly, to enable Ubuntu Pro ESM on any host or Docker environment, you need to run the following commands:
sudo apt update
sudo apt install ca-certificates ubuntu-pro-client
sudo pro attach <your-ubuntu-pro-token>
sudo apt update
sudo apt upgrade