The Devil Wears RPM:

Continous Security Integration

Ikey DohertyIntel Corporation

Who are you?

Introduction to Ikey Doherty

Who are you?

■ Ikey Doherty, software engineer at Intel

■ Part of the Clear Linux* Project for Intel Architecture

■ Developer of the cve-check-tool

■ Long-time distribution engineer (8+ years)

■ GNOME Foundation member/ GNOME Contributor

Brief introduction of terms

■ CVE

Common Vulnerabilities & Exposures

■ CVE ID

Unique identifier for a given CVE

■ NVD

National Vulnerability Database

■ RPM

RPM Package manager

The Problem

What’s the big deal?

■ CVEs are constantly being announced for many software packages

■ No automated solution to detect old and new CVEs in a continously integrated fashion

■ Old CVEs can easily creep into Linux distributions

■ Distributions must still (manually) maintain security of software packages

The Problem

“Anything that can go wrong, will go wrong.”

Murphy’s Law

The Solution

Continuous Security Integration

■ cve-check-tool is purpose built to continously scan Linux* distributions for CVEs

■ Automation and integration with existing workflows/bug trackers

■ Finds old and new CVEs by utilising the NVD as a data source, turn-around of 4 hours

■ Takes away much of the manual labour effort for discovering CVEs

The Solution

Demo

Quick run of cve-check-tool in a virtualised environment

The Future

cve-check-tool – but not just for devs

■ Enable usage by administrators

■ Quickly identify issues on deployed systems

■ Scan thousands of dockerimages against known data

■ Multiple data feeds

■ “Deep scan” – check “bad” code paths and file hashes, greatly increasing surface area

Room for expansion

Questions?

https://github.com/ikeydoherty/cve-check-tool

https://clearlinux.org/