Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop Chasing CVEs

Nemo
October 05, 2024
Technology
0
10

Stop Chasing CVEs

Waiting for vulnerability alerts to secure your systems is a flawed strategy. Did you spend time tracking down and patching systems for meltdown, shellshock, and log4j? So did I. I've also probably helped you track your product EOLs by creating endoflife.date.

This talk takes all of my experience and focuses on a single core learning - you need to stop chasing CVEs.

Here's the core argument:

1. CVEs are Too Late: They're after-the-fact alerts. By the time you know, so do attackers.
2. Upgrading Isn't Always an Option: Real-world constraints often make immediate patching a pipe dream.
3. You Can't Patch Everything: Sometimes, technical or operational hurdles make it impossible to fix known vulnerabilities.
4. Regular Updates Are Key: Ditch the CVE chase. Regular, proactive updates are your best defence.

The remainder of the talk will go into specific threat models and why enforcing proactive updates is the cleanest strategy. It will also go into why this isn't a silver-bullet either, but needs to be practised alongside other defence in depth measures.

Nemo

October 05, 2024
Tweet

More Decks by Nemo

See All by Nemo
Ideas are Worthless
captn3m0
0
16
endoflife.date Recommendations
captn3m0
1
230
Sanskari Proxy
captn3m0
0
49
Laravel Upgrade Stories
captn3m0
0
70
Terraforming Tatooine
captn3m0
0
270
You don't need Blockchain
captn3m0
0
200
hillhacks quiz 2017
captn3m0
0
250
Security Horror stories in Payments
captn3m0
0
460
All Software Sucks
captn3m0
0
210

Other Decks in Technology

See All in Technology
カメラ単体で物体の3次元 座標を扱う方法
kenmatsu4
0
100
エンジニア向け会社紹介資料
caddi_eng
14
270k
40代後半で開発エンジニアからクラウドインフラエンジニアにキャリアチェンジし、生き残れる自信がようやく持てた話
iwamot
9
8.1k
プログラミング写経のすすめ
natsutan
0
160
塩野義製薬様のAWS統合管理戦略:Organizations設計と運用の具体例
tkikuchi
0
310
なぜ Rack を理解すべきかプレトーク / Why should you understand Rack - Pre-talk
hogelog
0
220
いまいまMySQL2024 @ OSC Nagaoka
sakaik
3
290
AIとともに歩んだライブラリアップデートの道のり/ vue-fes-japan-2024-link-and-motivation
lmi
2
1.5k
ラブグラフ紹介資料 〜プロダクト解体新書〜 / Lovegraph Product Deck
lovegraph
0
14k
안드로이드 기술 이력서의 최소 조건
pluu
1
1k
フェンリルの SwiftUI の研修を覗いてみる / Fenrir SwiftUI Training
studio_rookery
0
150
Application Signalsで始めるSLO ユーザー満足度を数値化する第一歩
niftycorp
PRO
2
140

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
26
4.1k
Visualization
eitanlees
143
15k
YesSQL, Process and Tooling at Scale
rocio
167
14k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Facilitating Awesome Meetings
lara
49
6k
Fontdeck: Realign not Redesign
paulrobertlloyd
81
5.2k
Art, The Web, and Tiny UX
lynnandtonic
296
20k
Become a Pro
speakerdeck
PRO
24
4.9k
How STYLIGHT went responsive
nonsquared
95
5.1k
How to Ace a Technical Interview
jacobian
275
23k
Writing Fast Ruby
sferik
626
60k
No one is an island. Learnings from fostering a developers community.
thoeni
19
2.9k

Transcript

  1. Stop Chasing CVEs nemo | Oct 2024 Mercari India Security

    Conclave

  2. About Me Founding Engineer @ Razorpay Creator, endoflife.date OSS Maintainer

    captnemo.in | blr.today Recurse Center Alum Takshashila Scholar Speedcuber, Homelabber, Niradhaar

  3. endoflife.date endoflife.date/k8s endoflife.date/eks

  4. None
  5. None
  6. None

  7. Stop Chasing CVEs

  8. 40k MITRE NIST CVEs issued yearly By Scored By NVD

    Published As

  9. Aside 1: NIST/NVD/CVE Drama • NIST scaled back the NVD

    program in April 2024. • As of May 20, of all new vulnerabilities since February 93.4 percent remained unanalyzed. • NIST amended its five-year, $125 million IT contract with Maryland-based Analygence to include support for clearing the NVD backlog. • As of September 21, 2024, 72.4% of CVEs (18,358 CVEs) in the NVD have yet to be analyzed (compared to 93.4% as of May 19, 2024). https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/

  10. https://vulncheck.com/blog/nvd-backlog-exploitation-lurking

  11. Aside 2: The CVE System is broken • NVD makes

    up vulnerability severity levels • CVE-2020-19909 is everything that is wrong with CVEs • NVD damage continued | daniel.haxx.se • CVEMITRECVSSNVDCNAOSS WTF - (Talk) • Resume-chasing CVEs Vulnerability Scanners do not get this nuance.

  12. Stop Chasing CVEs

  13. 1/ CVEs are too Late

  14. CVE-2024-6468

  15. CVE-2024-6468 enterprise-only

  16. 2/ Fixing a CVE might be impossible

  17. endoflife.date/python

  18. endoflife.date/python

  19. endoflife.date/centos

  20. None

  21. Distro Container OSS? Backporting fixes on your own is harder

    than it seems.

  22. 4/ Detections can be misleading.

  23. A rough representation of how Vulnerability Scanners work.

  24. Your SBOM can lie to you https://github.com/anchore/syft/issues/1197 (Fixed)

  25. 5/ Regular Updates are Key

  26. None

  27. Always run a supported release Upgrade Safely ❏ Have Better

    Tests ❏ Run a minimal distro ❏ Use distroless containers

  28. Always run a supported release Upgrade Safely ❏ Have Better

    Tests ❏ Run a minimal/rolling distro ❏ Use distroless containers Regularly ❏ Track your Inventory ❏ Track your Support Cycles ❏ Risk-rank your inventory ❏ Understand your Upgrade Paths.

  29. Supply Chain Security is moving fast • SBOM ecosystem is

    growing fast. • NIST/PCI/CIS/… Guidelines are evolving towards this reality. • Build a Inventory, but double check it. • Run your scanners, but don’t believe them on everything. • Don’t forget cloud versioned services (RDS/EKS/…)

  30. Reach Out captnemo.in