Stop Chasing CVEs - Speaker Deck

Slide 1

Slide 1 text

Stop Chasing CVEs nemo | Oct 2024 Mercari India Security Conclave

Slide 2

Slide 2 text

About Me Founding Engineer @ Razorpay Creator, endoﬂife.date OSS Maintainer captnemo.in | blr.today Recurse Center Alum Takshashila Scholar Speedcuber, Homelabber, Niradhaar

Slide 3

Slide 3 text

endoﬂife.date endoflife.date/k8s endoflife.date/eks

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Stop Chasing CVEs

Slide 8

Slide 8 text

40k MITRE NIST CVEs issued yearly By Scored By NVD Published As

Slide 9

Slide 9 text

Aside 1: NIST/NVD/CVE Drama ● NIST scaled back the NVD program in April 2024. ● As of May 20, of all new vulnerabilities since February 93.4 percent remained unanalyzed. ● NIST amended its ﬁve-year, $125 million IT contract with Maryland-based Analygence to include support for clearing the NVD backlog. ● As of September 21, 2024, 72.4% of CVEs (18,358 CVEs) in the NVD have yet to be analyzed (compared to 93.4% as of May 19, 2024). https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/

Slide 10

Slide 10 text

https://vulncheck.com/blog/nvd-backlog-exploitation-lurking

Slide 11

Slide 11 text

Aside 2: The CVE System is broken ● NVD makes up vulnerability severity levels ● CVE-2020-19909 is everything that is wrong with CVEs ● NVD damage continued | daniel.haxx.se ● CVEMITRECVSSNVDCNAOSS WTF - (Talk) ● Resume-chasing CVEs Vulnerability Scanners do not get this nuance.

Slide 12

Slide 12 text

Stop Chasing CVEs

Slide 13

Slide 13 text

1/ CVEs are too Late

Slide 14

Slide 14 text

CVE-2024-6468

Slide 15

Slide 15 text

CVE-2024-6468 enterprise-only

Slide 16

Slide 16 text

2/ Fixing a CVE might be impossible

Slide 17

Slide 17 text

endoflife.date/python

Slide 18

Slide 18 text

endoflife.date/python

Slide 19

Slide 19 text

endoﬂife.date/centos

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

Distro Container OSS? Backporting ﬁxes on your own is harder than it seems.

Slide 22

Slide 22 text

4/ Detections can be misleading.

Slide 23

Slide 23 text

A rough representation of how Vulnerability Scanners work.

Slide 24

Slide 24 text

Your SBOM can lie to you https://github.com/anchore/syft/issues/1197 (Fixed)

Slide 25

Slide 25 text

5/ Regular Updates are Key

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

Always run a supported release Upgrade Safely ❏ Have Better Tests ❏ Run a minimal distro ❏ Use distroless containers

Slide 28

Slide 28 text

Always run a supported release Upgrade Safely ❏ Have Better Tests ❏ Run a minimal/rolling distro ❏ Use distroless containers Regularly ❏ Track your Inventory ❏ Track your Support Cycles ❏ Risk-rank your inventory ❏ Understand your Upgrade Paths.

Slide 29

Slide 29 text

Supply Chain Security is moving fast ● SBOM ecosystem is growing fast. ● NIST/PCI/CIS/… Guidelines are evolving towards this reality. ● Build a Inventory, but double check it. ● Run your scanners, but don’t believe them on everything. ● Don’t forget cloud versioned services (RDS/EKS/…)

Slide 30

Slide 30 text

Reach Out captnemo.in