A few weeks back I was at DjangoCon enjoying the talks and meeting friends. During a hallway discussion with Jacob Kaplan-Moss about his talk ‘Be Agile, Not Vulnerable‘, I mentioned that perhaps New Relic could play a role in getting the message out to our customers about vulnerabilities in packages they use.
A week later, Django issued a security release for a potential denial of service attack. I decided to take this opportunity to deliver on my promise. I reached out to my colleague in the Ruby Agent team, who built a prototype to do such banners. After a brief discussion we both agreed that the code needed a little bit of refactoring to make future additions easier. In its past form, new vulnerability additions required an entry in the database, a minor code change and a redeploy. We wanted to make it so new additions will only require a database change and no code changes or deployment.
I worked with our web engineering team and made the necessary changes. Now, I’m happy to announce that it is live in production.
Right now it only warns users if they are using vulnerable Django versions. Before we extend it to other languages and frameworks we’d like to collect feedback about it’s usefulness.
The banners themselves have a built-in voting system, that allows our customers to let us know if they found the banner useful or not. So far the response has been quite positive (94%).
I’d like to thank Russell Keith-Magee and James Bennett of the Django Project, for adding an archive of all security issues in docs. It serves as a great reference of all security issues in a single page.
Providing Value through Experiments
This is not a brand new feature but one that we have been experimenting with towards providing more value to our communities. New Relic encourages its employees to experiment (yes, we are hiring) and this is one such experiment. So far it’s been a success with approximately 134 people confirming that they found the banner useful. What do you think?