The Devil Wears RPM: Continous Security Integration Ikey Doherty - - PowerPoint PPT Presentation

The Devil Wears RPM: Continous Security Integration

Ikey Doherty Intel Corporation

Who are you?

Introduction to Ikey Doherty

Who are you?

■ Ikey Doherty, software engineer at Intel ■ Part of the Clear Linux* Project for Intel Architecture ■ Developer of the cve-check-tool ■ Long-time distribution engineer (8+ years) ■ GNOME Foundation member/ GNOME Contributor

Brief introduction of terms

■ CVE

Common Vulnerabilities & Exposures

■ CVE ID

Unique identifier for a given CVE

■ NVD

National Vulnerability Database

■ RPM

RPM Package manager

The Problem

What’s the big deal?

■

CVEs are constantly being announced for many software packages

■

No automated solution to detect

• ld and new CVEs in a

continously integrated fashion

■

Old CVEs can easily creep into Linux distributions

■

Distributions must still (manually) maintain security of software packages

The Problem

“Anything that can go wrong, will go wrong.”

Murphy’s Law

The Solution

Continuous Security Integration

■

cve-check-tool is purpose built to continously scan Linux* distributions for CVEs

■

Automation and integration with existing workflows/bug trackers

■

Finds old and new CVEs by utilising the NVD as a data source, turn-around of 4 hours

■

Takes away much of the manual labour effort for discovering CVEs

The Solution

Demo

Quick run of cve-check-tool in a virtualised environment

The Future

cve-check-tool – but not just for devs

■

Enable usage by administrators

■

Quickly identify issues on deployed systems

■

Scan thousands of docker images against known data

■

Multiple data feeds

■

“Deep scan” – check “bad” code paths and file hashes, greatly increasing surface area

Room for expansion

Questions?

https://github.com/ikeydoherty/cve- check-tool https://clearlinux.org/