the devil wears rpm: continous security integration · continous security integration ikey doherty...
TRANSCRIPT
![Page 1: The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty Intel Corporation. Who are you? Introduction to Ikey Doherty. Who are you? Ikey](https://reader035.vdocuments.net/reader035/viewer/2022070905/5f747e6eb586f71c3f642dc4/html5/thumbnails/1.jpg)
The Devil Wears RPM:
Continous Security Integration
Ikey DohertyIntel Corporation
![Page 2: The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty Intel Corporation. Who are you? Introduction to Ikey Doherty. Who are you? Ikey](https://reader035.vdocuments.net/reader035/viewer/2022070905/5f747e6eb586f71c3f642dc4/html5/thumbnails/2.jpg)
Who are you?
Introduction to Ikey Doherty
![Page 3: The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty Intel Corporation. Who are you? Introduction to Ikey Doherty. Who are you? Ikey](https://reader035.vdocuments.net/reader035/viewer/2022070905/5f747e6eb586f71c3f642dc4/html5/thumbnails/3.jpg)
Who are you?
■ Ikey Doherty, software engineer at Intel
■ Part of the Clear Linux* Project for Intel Architecture
■ Developer of the cve-check-tool
■ Long-time distribution engineer (8+ years)
■ GNOME Foundation member/ GNOME Contributor
![Page 4: The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty Intel Corporation. Who are you? Introduction to Ikey Doherty. Who are you? Ikey](https://reader035.vdocuments.net/reader035/viewer/2022070905/5f747e6eb586f71c3f642dc4/html5/thumbnails/4.jpg)
Brief introduction of terms
■ CVE
Common Vulnerabilities & Exposures
■ CVE ID
Unique identifier for a given CVE
■ NVD
National Vulnerability Database
■ RPM
RPM Package manager
![Page 5: The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty Intel Corporation. Who are you? Introduction to Ikey Doherty. Who are you? Ikey](https://reader035.vdocuments.net/reader035/viewer/2022070905/5f747e6eb586f71c3f642dc4/html5/thumbnails/5.jpg)
The Problem
What’s the big deal?
![Page 6: The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty Intel Corporation. Who are you? Introduction to Ikey Doherty. Who are you? Ikey](https://reader035.vdocuments.net/reader035/viewer/2022070905/5f747e6eb586f71c3f642dc4/html5/thumbnails/6.jpg)
■ CVEs are constantly being announced for many software packages
■ No automated solution to detect old and new CVEs in a continously integrated fashion
■ Old CVEs can easily creep into Linux distributions
■ Distributions must still (manually) maintain security of software packages
The Problem
![Page 7: The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty Intel Corporation. Who are you? Introduction to Ikey Doherty. Who are you? Ikey](https://reader035.vdocuments.net/reader035/viewer/2022070905/5f747e6eb586f71c3f642dc4/html5/thumbnails/7.jpg)
“Anything that can go wrong, will go wrong.”
Murphy’s Law
![Page 8: The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty Intel Corporation. Who are you? Introduction to Ikey Doherty. Who are you? Ikey](https://reader035.vdocuments.net/reader035/viewer/2022070905/5f747e6eb586f71c3f642dc4/html5/thumbnails/8.jpg)
The Solution
Continuous Security Integration
![Page 9: The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty Intel Corporation. Who are you? Introduction to Ikey Doherty. Who are you? Ikey](https://reader035.vdocuments.net/reader035/viewer/2022070905/5f747e6eb586f71c3f642dc4/html5/thumbnails/9.jpg)
■ cve-check-tool is purpose built to continously scan Linux* distributions for CVEs
■ Automation and integration with existing workflows/bug trackers
■ Finds old and new CVEs by utilising the NVD as a data source, turn-around of 4 hours
■ Takes away much of the manual labour effort for discovering CVEs
The Solution
![Page 10: The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty Intel Corporation. Who are you? Introduction to Ikey Doherty. Who are you? Ikey](https://reader035.vdocuments.net/reader035/viewer/2022070905/5f747e6eb586f71c3f642dc4/html5/thumbnails/10.jpg)
Demo
Quick run of cve-check-tool in a virtualised environment
![Page 11: The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty Intel Corporation. Who are you? Introduction to Ikey Doherty. Who are you? Ikey](https://reader035.vdocuments.net/reader035/viewer/2022070905/5f747e6eb586f71c3f642dc4/html5/thumbnails/11.jpg)
The Future
cve-check-tool – but not just for devs
![Page 12: The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty Intel Corporation. Who are you? Introduction to Ikey Doherty. Who are you? Ikey](https://reader035.vdocuments.net/reader035/viewer/2022070905/5f747e6eb586f71c3f642dc4/html5/thumbnails/12.jpg)
■ Enable usage by administrators
■ Quickly identify issues on deployed systems
■ Scan thousands of dockerimages against known data
■ Multiple data feeds
■ “Deep scan” – check “bad” code paths and file hashes, greatly increasing surface area
Room for expansion
![Page 13: The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty Intel Corporation. Who are you? Introduction to Ikey Doherty. Who are you? Ikey](https://reader035.vdocuments.net/reader035/viewer/2022070905/5f747e6eb586f71c3f642dc4/html5/thumbnails/13.jpg)
Questions?
![Page 14: The Devil Wears RPM: Continous Security Integration · Continous Security Integration Ikey Doherty Intel Corporation. Who are you? Introduction to Ikey Doherty. Who are you? Ikey](https://reader035.vdocuments.net/reader035/viewer/2022070905/5f747e6eb586f71c3f642dc4/html5/thumbnails/14.jpg)
https://github.com/ikeydoherty/cve-check-tool
https://clearlinux.org/