The Devil Wears RPM: Continous Security Integration Ikey Doherty - PowerPoint PPT Presentation

The Devil Wears RPM: Continous Security Integration Ikey Doherty Intel Corporation

Who are you? Introduction to Ikey Doherty

Who are you? ■ Ikey Doherty, software engineer at Intel ■ Part of the Clear Linux* Project for Intel Architecture ■ Developer of the cve-check-tool ■ Long-time distribution engineer (8+ years) ■ GNOME Foundation member/ GNOME Contributor

Brief introduction of terms ■ CVE Common Vulnerabilities & Exposures ■ CVE ID Unique identifier for a given CVE ■ NVD National Vulnerability Database ■ RPM RPM Package manager

The Problem What’s the big deal?

The Problem CVEs are constantly being ■ announced for many software packages No automated solution to detect ■ old and new CVEs in a continously integrated fashion Old CVEs can easily creep into ■ Linux distributions Distributions must still ■ (manually) maintain security of software packages

“Anything that can go wrong, will go wrong.” Murphy’s Law

The Solution Continuous Security Integration

The Solution cve-check-tool is purpose built to ■ continously scan Linux* distributions for CVEs Automation and integration with ■ existing workflows/bug trackers Finds old and new CVEs by ■ utilising the NVD as a data source, turn-around of 4 hours Takes away much of the manual ■ labour effort for discovering CVEs

Demo Quick run of cve-check-tool in a virtualised environment

The Future cve-check-tool – but not just for devs

Room for expansion Enable usage by administrators ■ Quickly identify issues on ■ deployed systems Scan thousands of docker ■ images against known data Multiple data feeds ■ “Deep scan” – check “bad” code ■ paths and file hashes, greatly increasing surface area

Questions?

https://github.com/ikeydoherty/cve- check-tool https://clearlinux.org/