The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty...
Transcript of The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty...
The Devil Wears RPM:
Continous Security Integration
Ikey DohertyIntel Corporation
Who are you?
Introduction to Ikey Doherty
Who are you?
■ Ikey Doherty, software engineer at Intel
■ Part of the Clear Linux* Project for Intel Architecture
■ Developer of the cve-check-tool
■ Long-time distribution engineer (8+ years)
■ GNOME Foundation member/ GNOME Contributor
Brief introduction of terms
■ CVE
Common Vulnerabilities & Exposures
■ CVE ID
Unique identifier for a given CVE
■ NVD
National Vulnerability Database
■ RPM
RPM Package manager
The Problem
What’s the big deal?
■ CVEs are constantly being announced for many software packages
■ No automated solution to detect old and new CVEs in a continously integrated fashion
■ Old CVEs can easily creep into Linux distributions
■ Distributions must still (manually) maintain security of software packages
The Problem
“Anything that can go wrong, will go wrong.”
Murphy’s Law
The Solution
Continuous Security Integration
■ cve-check-tool is purpose built to continously scan Linux* distributions for CVEs
■ Automation and integration with existing workflows/bug trackers
■ Finds old and new CVEs by utilising the NVD as a data source, turn-around of 4 hours
■ Takes away much of the manual labour effort for discovering CVEs
The Solution
Demo
Quick run of cve-check-tool in a virtualised environment
The Future
cve-check-tool – but not just for devs
■ Enable usage by administrators
■ Quickly identify issues on deployed systems
■ Scan thousands of dockerimages against known data
■ Multiple data feeds
■ “Deep scan” – check “bad” code paths and file hashes, greatly increasing surface area
Room for expansion
Questions?
https://github.com/ikeydoherty/cve-check-tool
https://clearlinux.org/