Ubuntu security assurances
The open source software ecosystem is vast, requiring careful consideration in information security risk management. Ubuntu is carefully engineered to provide a solid foundation for any type of deployment, with transparent security processes built on modern best practices.
A critical link in your software supply chain
Assessing the software supply chain is a critical aspect of building a strong security posture. Through its commitment to open source, Ubuntu is built on transparent processes that can be relied upon by all its users and integrated within enterprise risk assessment programs.
Stable security updates
The Ubuntu Security Team fixes vulnerabilities through targeted security updates that maintain backwards compatibility in all LTS releases, with support for up to 12 years.
Vulnerability visibility
Long-term stability
Most open source software suppliers only address vulnerabilities in the latest version, but updating to a cutting-edge release carries a risk of introducing incompatible changes or the removal of relied-upon functionality. Instead, Ubuntu users receive bespoke security updates that only address the security flaws and retain compatibility with the software version originally distributed in the Ubuntu release they have installed.
Regression mitigation
Packages go through comprehensive regression testing before updates are made available, reducing the risk of downtime or the complexities of rolling them back. The unattended-upgrades feature applies updates automatically and is enabled by default on Ubuntu installations.
Rapid fixes
The Ubuntu Security Team collaborates with security researchers, open-source projects and other industry groups to prepare fixes for high-impact vulnerabilities within closed embargoes, in order to deliver security updates at the same time the vulnerabilities are publicly disclosed.
Software assessment
Ubuntu distributes over 36,000 open source software packages. Understanding the risk exposure from such a large catalogue is a daunting task.
The distinction between the Main and Universe repositories is meant to help with this evaluation:
The Main repository
With over 2,300 pieces of software, the Main repository is assembled by hand-picking the most critical packages and evaluating them from a quality, maintainability and security point of view, a process known as a Main Inclusion Review (MIR). This includes security audits, which often reveal vulnerabilities that are subsequently fixed.
The Universe repository
This repository provides a vast, ready-to-use ecosystem of open source software and consists of over 34,000 packages in the latest Ubuntu LTS (Noble Numbat). In addition to community support, selected security updates are also provided by the Ubuntu Security Team as part of Ubuntu Pro Expanded Security Maintenance for applications (ESM-Apps).
Up-to-date cryptography
Cryptography underpins information security, so it is critical to stay up to date with the recommended protocol versions and algorithms. Ubuntu offers the foundation for a strong security posture.
Diverse libraries
Ubuntu distributes a large selection of cryptographic libraries. This facilitates the security maintenance of a wide range of software, whether internally-developed or popular open source projects. Stable security updates reduce incompatibility risks and simplify patch management.
Modern cryptography
The Ubuntu Security Team ensures that recommended algorithms are used in the core functions of the operating system, in addition to deprecating the ones that are no longer considered safe by current best practices.
FIPS certification
Ubuntu Pro delivers drop-in replacements of the most popular cryptographic software packages for use in deployments that require compliance with the FIPS 140 series of standards, in accordance with U.S. government regulations. The necessary validation process is done through an accredited third-party auditor.
Continuous hardening
When vulnerabilities are inevitably discovered, security safeguards reduce the likelihood that threats materialize through exploitation – reducing risk. Ubuntu is regularly updated to integrate the latest security features that have a broad impact on all software running on the distribution.
Binary protection
The Ubuntu Security Team periodically reviews system-wide software compilation settings to include the newest security features, such as memory exploitation protections.
Linux hardening
The Linux kernel fulfills a central role in providing mitigations for a wide-range of vulnerabilities. The Ubuntu-distributed kernel packages have a selection of hand-picked settings enabled that provide a strong balance between usability and security; these are evaluated on a continuous basis.
Security features
From application confinement and mandatory access control (MAC) to integrity protections or data confidentiality features, the Ubuntu distribution offers a wide selection of ready-to-use security controls to enhance the protection of system deployments.
Safe defaults
Security-conscious default settings improve the posture of all Ubuntu users, while reducing the complexity associated with critical installations. These include:
- No externally-accessible network services on default installations
- Automatic security updates
- Various security-sensitive kernel features
- Restrictive configurations of software packages
Software integrity protection
Ubuntu distributes software through a network of Canonical services and third-party mirrors. The risk of supply chain attacks that compromise these channels is reduced through strong cryptographic integrity protections.
Package management applications automatically verify software signatures, which are generated in confined environments running on Canonical infrastructure.
Ubuntu installation media can similarly be verified, a process that is strongly recommended because it offers integrity protection even when the media in question is retrieved over untrusted connections.