Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Brent Clements
on 14 July 2016

How Canonical Battles Zero-Day​ Threats


I work for Canonical as a Consulting Architect. Every design I put together I try to secure as best as possible. One reason I came to Canonical was because of the way we handle security updates and our approach to security. This blog post outlines how we handle updates, specifically around zero-day vunerabilities.

We have all heard of major break-ins at some of the world’s most trusted companies. It is something that, speaking as a former IT Security Analyst, keeps me on my toes when dealing with technology every day.  Many of these major break-ins are due to flaws, commonly known as vulnerabilities, that exist in software. These vulnerabilities lie in wait for the day that a hacker discovers them and creates an exploit to attack a business for fun and/or profit.  The most serious of these attacks, zero-day attacks, occur when attackers identify that flaw and release an exploit before the vendor has the opportunity to release a patch which fixes the vulnerability. Many times vendors are racing against the clock to fix the vulnerability before further damage is done.

Luckily Canonical works extremely quickly with our partners, customers, and the community when it comes to stopping zero-day attacks before they cause large-scale damage. Our goal is to reduce the time it takes to release a security update so you can patch quicker. Not only do we follow best practices when securing OpenStack but the Ubuntu Operating system, is engineered to be one of the most secure operating systems in the world. We do this by constantly monitoring for exploits, threats, and attacks, and also by working closely with our partners, customers, and the community to maintain vigilance over all aspects of security.

In a recent example of combating security threats, Canonical was notified of a “zero-day” vulnerability which is a hole in software that is unknown to the vendor. Within hours, the Canonical engineering team had release a security patch to both our customers and the community. While all threats can’t always be immediately addressed, this demonstrates the high level of attention that we pay to any notification of a potential vulnerability. Because of our engineering-focused security model, we can move quickly to eliminate threats.

The biggest weapon we have in fighting zero-day attacks is by constantly being on alert for threats. Canonical’s security team continuously monitors these threats by:

In order to move as quickly as we do, Canonical has developed a well-defined process for analyzing threats and producing security patches to stop problems before they begin.  Once a vulnerability has been identified, security updates are done according to the threat prioritization. Our update process includes:

  1. Researching how the vulnerability affects each Ubuntu release
  2. Locating the upstream fix or, in some cases, fixing the issue ourselves
  3. Backporting the fix to all affected Ubuntu releases
  4. Targeted testing to gain confidence that the issue is fixed
  5. Building the packages that will ultimately be published as Ubuntu Security updates
  6. Perform thorough QA to ensure that the security update packages fix the vulnerability and do not introduce regressions that will negatively affect our users
  7. Publish the security updates and an accompanying Ubuntu Security Notice to http://www.ubuntu.com/usn/ whereby we inform users of the fixed issue(s) and steps they need to take to apply the update.

So why is having a well-defined process for identifying flaws and squashing them before they cause damage important? My belief is that we must prevent financial loss and secure you or your customers’ data asap. According to an IT Risk Survey released by security firm Kaspersky, the average security breach costs an enterprise $551,000 to recover from.  Not only is it costly but your businesses reputation can be damaged, sometimes irreparably.

To further illustrate the point, let’s imagine you are a financial institution or insurance company. According to the 2015 IBM Security Index, these types of institutions are at the highest threat for being attacked.  Having a partner that can quickly find and eliminate security vulnerabilities gives you a greater advantage for securing your customer’s financial information and reducing losses now and in the future.

Canonical has a goal to help secure the cloud to reduce those threats.  Our people, processes, and technology ensure that vulnerabilities are quickly eliminated in order to protect you, your company, and your customers.  For me, I am proud to be part of such a wonderful team that fights for your business.  Because of this, I can, with confidence, advise our customers on the best possible outcomes for their projects.

Original article

Related posts


Lech Sandecki
23 October 2024

6 facts for CentOS users who are holding on

Cloud and server Article

Considering migrating to Ubuntu from other Linux platforms, such as CentOS? Find six useful facts to get started! ...


Kris Sharma
17 October 2024

Why is Ubuntu Linux the leading choice to replace CentOS for financial services?

Financial Services Article

Financial services are powered by technology. The customer experience is increasingly driven by data, with tailoring of products and services to reflect individual behaviors and preferences. All of this rests on a foundation of secure, stable technology that can support agility and flexibility to adapt to customer needs, whilst at the sam ...


Massimiliano Gori
27 November 2024

Entra ID authentication on Ubuntu at scale with Landscape

Ubuntu Article

Authd allows Entra ID authentication on both Ubuntu Desktop and Server. Learn how to configure Authd at scale using Landscape and Cloud-init ...