Product managers, development managers, and programmers all have to worry about code security today. What do you do, and how do you react, when a severe security vulnerability announcement is made – regarding the code you’ve embedded in your product – days before your scheduled product release? It happened to us, and here’s what we did.
PV-WAVE is an array oriented fourth-generation programming language used to build and deploy visual data analysis applications. One of the strengths of PV-WAVE is its ability to read, manipulate, process, display, and write a myriad of image files and image file formats. We adopted the ImageMagick libraries some time ago as the underlying technology for our image I/O capabilities.
As we prepared for our latest release, as a team and based on customer input, we decided to update the version of ImageMagick. Based in part on our long-standing mantra related to maintaining backward compatibility between releases as much as possible, the update became the largest time commitment for the development team for the release. Two days before we finished the development work, the ImageTragick vulnerability was announced!
The team rushed to understand the vulnerability, to gauge the potential impact on our product and the release schedule. The developers quickly isolated the vulnerable code area, and disabled any and all access to those sections of code. We added additional ‘done’ testing to ensure that all stated exploits related to ImageTragick could not be reached using PV-WAVE. We convinced ourselves through that testing that we remained secure. As it turns out, the code changes we implemented turned out to be the exact resolution taken by the ImageMagick community.
We are excited by the PV-WAVE 12.0 release! And we’re pleased that our corporate diligence around code security extends to all development teams within Rogue Wave, which leads to secure product releases for our customers.
For more information about PV-WAVE 12.0 – visit the what’s new page.