What's so hard about vulnerability scanning

Transcript

1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

   What’s so hard about vulnerability scanning? Liz Rice @LizRice | @AquaSecTeam

2. 2

3. 3 Software vulnerabilities

4. 4 Common Vulnerabilities & Exposures

5. 5

6. 6 Heartbleed

7. 7

8. 8 Image vulnerability scanning @LizRice | @AquaSecTeam ▪ Identify the

   packages & versions in the image ▪ Cross-reference with vulnerability database ▪ Profit Sounds easy!

9. Linux, distributions & container images

10. 10 Linux distributions ▪ The Linux Kernel is A Thing

    ▪ And then there are distributions: kernel + ▪ shell ▪ init system ▪ package manager ▪ GUI ▪ …

11. 11 @LizRice | @AquaSecTeam Linux distributions Debian Ubuntu OpenSUSE Alpine

    Arch Linux Default GUI GNOME GNOME (prev. Unity) KDE None None Default Shell dash bash bash busybox sh bash Default Editor nano vim vim busybox vi vim Default Init System systemd (prev. SysV) systemd (prev. Upstart) systemd (prev. SysV) busybox init systemd (prev. SysV) Default Package Manager deb deb rpm apk pacman Release Model Fixed, infrequent updates Fixed, infrequent updates Fixed, frequent updates Fixed, relatively frequent Rolling, constant updates

12. 12 @LizRice | @AquaSecTeam /bin /lib /usr /opt /var /bin

    /lib /usr /var /bin /opt /usr /var Container images

13. Linux & software packages

14. 14 How does software get into a Linux distribution? 3rd-party

    developers write source Compiled & packaged Binary distribution Upstream Distribution Package repository ▪ Enable / disable features ▪ Link with libraries ▪ Re-package ▪ Fix bugs that aren’t in upstream ▪ Apply security patches

15. 15 Case study: Debian - focus on stability ▪ New

    versions may take months to reach the package repositories ▪ Often don’t want to update to latest version for an upstream fix to a security vulnerability ▪ Debian often backports security fixes to older versions and repackages them

16. 16 Case study: Debian / CVE-2017-8807 ▪ NVD reports this

    in Varnish HTTP Cache versions 4.0.0 - 5.2.0

17. 17 Case study: Debian / CVE-2017-8807 ▪ NVD reports this

    in Varnish HTTP Cache versions 4.0.0 - 5.2.0 ▪ Debian applied patch to 5.0.0

18. 18 Case study: Alpine / busybox 1.27.2

19. 19 Case study: Alpine / busybox 1.27.2 Patches for the

    known vulnerabilities Other patches not known to NVD

20. 20 Vendor security advisories Only affects server component NVD doesn’t

    know that

21. Not all scanners are created equal

22. 22 Not all scanners are created equal Information sources /

    advisories ▪ NVD ▪ Distributions ▪ Vendors ▪ Languages ▪ Whitesource Scanning techniques ▪ Layer-by-layer or image Functionality ▪ Malware ▪ File scanning ▪ Windows

23. Microscanner preview

24. 24 Microscanner - package vulnerability scanning ▪ Runs as part

    of build ▪ Contacts Aqua Security cyber-center vulnerability database ▪ Free! FROM debian:jessie-slim RUN apt-get update && apt-get -y install ca-certificates ADD https://get.aquasec.com/microscanner RUN chmod +x microscanner ARG token RUN /microscanner ${token} && rm /microscanner

25. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Thank you! @LizRice | @AquaSecTeam