A recent article in CSO magazine states that nearly half of the top million websites “pose security risks”. The CSO article is referencing the State of the Web 2016 Report from Menlo Security.
To avoid these problems, we recommend three potential solutions: upgrade your NGINX software, use NGINX Amplify for configuration analysis, or move to NGINX Plus.
There are two major sources of risk cited in the article:
If your site publishes third‑party content, you need to work with your publishing partners to solve any problems with the content they provide to you. If your site faces the problem of “old software”, or if you want to avoid this problem in the future, see the three recommended solutions below.
In specific configurations, which are rarely used and not recommended by NGINX, Inc., open source version 1.8 has a specific security vulnerability. We urge NGINX users to update to the latest version at their earliest convenience. If you rely on the version of NGINX distributed by your OS vendor, you may be using a very outdated version of NGINX. For example, Debian 8+ (Jessie) comes with NGINX 1.6.2, which is over 2 years old.
We recommend that, instead, you install NGINX from our repositories with prebuilt binaries. These binaries are built for Red Hat, Ubuntu, and a variety of BSD‑based OSs.
You can choose from two branches of the software: stable and mainline. The mainline branch is where we actively develop new features, while the stable branch is only updated to fix bugs and address security vulnerabilities. Please see this blog post for details on our branching scheme.
NGINX Amplify, now in public beta, includes configuration analysis. NGINX Amplify analyzes the NGINX version you have installed, notifies you of security vulnerabilities, and recommends an upgrade path.
The above screenshot shows an NGINX server running version 1.10.0, which is vulnerable to CVE‑2016‑4450. In this vulnerability, an attacker can cause a crash of an NGINX worker process. NGINX Amplify suggests an upgrade to either version 1.10.1+ or 1.11.1+, which have no known security vulnerabilities.
NGINX Amplify goes well beyond identifying NGINX software versions. With it, you can find a wide range of security issues in third‑party libraries and NGINX configuration. You can then repair each issue and re‑run NGINX Amplify to confirm that you’ve addressed it.
NGINX Amplify is in public beta and it is free to sign up. Try NGINX Amplify, including its configuration analysis feature, today to ensure your NGINX deployment is up to date and free of security vulnerabilities.
Users of NGINX Plus, the commercial version of the (open source) NGINX software, receive advanced security notifications and regular software updates. NGINX Plus has three features that make your website less vulnerable to security issues:
In addition, NGINX Amplify has access to additional metrics when used with NGINX Plus, giving you more ways to protect yourself.
You can download a free trial of NGINX Plus or contact Sales today.
"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous NGINX.com links will redirect to similar NGINX content on F5.com."