Post AG4bacfmDqUpWnFPLk by wolf480pl@mstdn.io
(DIR) More posts by wolf480pl@mstdn.io
(DIR) Post #AG43MAowu7Ga65fco4 by wolf480pl@mstdn.io
2022-02-02T11:12:48Z
0 likes, 1 repeats
How does one make a process for dealing with CVEs at work?
(DIR) Post #AG43TwMwWFGBaoH44W by benis@cawfee.club
2022-02-02T11:14:15.473652Z
0 likes, 0 repeats
@wolf480pl unilateral upgrades by the technician closest to the hardwareIt's a process optimized for maximum carnage
(DIR) Post #AG43c6ppUV1UMvgHLc by p@raru.re
2022-02-02T11:15:43Z
0 likes, 0 repeats
-> Keep tabs on CVE news-> Keep an inventory of risk vectors (hardware/firmware operating systems/versions . tooling/etc)-> investigate vulnerability on CVE news-> decide patch priority/ schedule maintenance / downtime if needs beProbably some missing, but this is what we did at Intel @wolf480pl
(DIR) Post #AG43p7lRONC1F6qsjY by p@raru.re
2022-02-02T11:18:04Z
0 likes, 0 repeats
assuming I got the question @wolf480pl
(DIR) Post #AG443FJO7xG0hmSqcy by wolf480pl@mstdn.io
2022-02-02T11:20:36Z
0 likes, 0 repeats
@p do you have some central database of all security advisories that affect you?
(DIR) Post #AG44enmcvRu0Kc34PQ by p@raru.re
2022-02-02T11:27:24Z
0 likes, 0 repeats
someone probably did, even if it was an excel spreadsheetI gave management a breakdown of how I thought about some CVEs, they took that and scheduled patching with prodops folk@wolf480pl
(DIR) Post #AG45BaLdtlI4De3j6G by loke@functional.cafe
2022-02-02T11:33:17Z
0 likes, 0 repeats
@wolf480pl @p There are products designed to help with that. One example ins Black Duck which automatically tracks your source repositories and makes it somewhat easy to get an overview of vulnerabilities that may affect you.
(DIR) Post #AG45Xiadw4VY9Td4xk by nintegge@post.lurk.org
2022-02-02T11:37:16Z
0 likes, 0 repeats
@wolf480pl 1. have an inventory of your software in use (and who is responsible for it), 2. Fetch the new CVEs via RSS, 3. Match against your inventory and notify people if need be. This is how I did it.
(DIR) Post #AG45eH8MPoiV1cWjsu by p@raru.re
2022-02-02T11:38:30Z
0 likes, 0 repeats
we used black duck for license scanning/compliance, they probably have other tools tooopenhub.net is neat@loke @wolf480pl
(DIR) Post #AG46xlCcwbwJjpNTvc by loke@functional.cafe
2022-02-02T11:53:13Z
0 likes, 0 repeats
@p @wolf480pl The CVE scanning is pretty good. For a large project you need something like that to help you manage it, otherwise you'll be overwhelmed quickly. Well, you'll get overwhelmed anyway, but at least it helps a bit.
(DIR) Post #AG48KqvhuvJQ7C2T32 by wolf480pl@mstdn.io
2022-02-02T12:08:36Z
0 likes, 0 repeats
@loke @p github has alerts about CVEs in dependencies, there are also tools that statically scan your docker images, but they generate *a lot* of alerts, a large part of which doesn't really affect you.How does one aggregate all that data and filter down to a managable amount?
(DIR) Post #AG48NPu6r3VdAHVw8G by wolf480pl@mstdn.io
2022-02-02T12:09:04Z
0 likes, 0 repeats
@nintegge how many notifications per week did you get?
(DIR) Post #AG49Ra8HJNjjobHnWq by woozong@post.lurk.org
2022-02-02T12:21:01Z
0 likes, 0 repeats
@p@loke @wolf480plwe're using snyk.io in all our builds/projects
(DIR) Post #AG49qYejwDUuTYNa2i by loke@functional.cafe
2022-02-02T12:25:31Z
0 likes, 0 repeats
@wolf480pl @p Yeah, the github warnings are not useful because as best as I can tell there is no way to classify them or add notes.What you want to do is to say that this particular issue is not exploitable in the current version so the warning is silenced unless something changes.What I would like it to be able to say that a given piece of code uses the vulnerable library in a given way. But if new code is committed that uses the same library, then the warning should show up again so one can make a new assessment whether the new code is impacted by the vulnerability.
(DIR) Post #AG4AS25fSsK6TlqO1o by wolf480pl@mstdn.io
2022-02-02T12:32:14Z
0 likes, 0 repeats
@loke @p docker ones aten't super helpful either, there happens to be a vulnerable Linux kernel in many of them which will never run so it's irrelevant if it parses ext superblocks wronh
(DIR) Post #AG4D9do0YvFLt1AE0e by nintegge@post.lurk.org
2022-02-02T13:02:34Z
0 likes, 0 repeats
@wolf480pl in general or relevant ones?
(DIR) Post #AG4DUd6mLkIDnyx5OK by wolf480pl@mstdn.io
2022-02-02T13:05:35Z
0 likes, 0 repeats
@nintegge ones you need a human to look at
(DIR) Post #AG4HlXaJTwdXqjcXho by nintegge@post.lurk.org
2022-02-02T13:54:13Z
0 likes, 0 repeats
@wolf480pl about five a day.
(DIR) Post #AG4IJB2PogzDlfnvTk by wolf480pl@mstdn.io
2022-02-02T14:00:20Z
0 likes, 0 repeats
@nintegge that sounds like a lot. Is there a dedicated person handling those?
(DIR) Post #AG4bIsiDqiqs3pvpRY by nintegge@post.lurk.org
2022-02-02T17:32:43Z
0 likes, 0 repeats
@wolf480pl there is a person in charge to handle vulnerabilities. Mind you the organisation I worked for had about a hundred people of technical staff. So you will have different levels of maturity handling security issues.
(DIR) Post #AG4bRA8svdzkR5Lriy by nintegge@post.lurk.org
2022-02-02T17:34:40Z
0 likes, 0 repeats
@wolf480pl don’t focus too much on the numbers. Have an inventory of your tech stack and you have a good basis to work from. The rest can be tacked on top as the need arises.
(DIR) Post #AG4bZ2DiGbomBNMc08 by wolf480pl@mstdn.io
2022-02-02T17:36:06Z
0 likes, 0 repeats
@nintegge my point is, it will be overwhelming.
(DIR) Post #AG4bacfmDqUpWnFPLk by wolf480pl@mstdn.io
2022-02-02T17:36:24Z
0 likes, 0 repeats
@nintegge like, we won't get anything done because we'll be tracking CVEs all day...
(DIR) Post #AG4cOUAU7Ig5d8O4qu by lanodan@queer.hacktivis.me
2022-02-02T17:45:22.008911Z
0 likes, 0 repeats
@wolf480pl @nintegge All software tend to have an identifier used in CVEs, that said:- A good distro should already manage everything it packages and provide an aggregate- Software generally have an identifier to ease tracking- They should all come with a severity score- Maybe consider grabbing the full database exports to use some tools, which most distros make public
(DIR) Post #AG4cmDdlDb8dJuOjD6 by wolf480pl@mstdn.io
2022-02-02T17:49:41Z
0 likes, 0 repeats
@lanodan @nintegge yeah but at work we're using non-distro packaged software, in particular:- we have software projects that use language-specific dependency manager - github can tell us about CVEs in the dependencies we use, but not if they affect us- use docker containers, some of them we build ourselves, others we pull from dockerhub - we found a tool that can statically scan those for versions of software components with known vulns, but again, doesn't tell us if they affect us
(DIR) Post #AG4d4cvbwANYxgWawa by wolf480pl@mstdn.io
2022-02-02T17:52:35Z
0 likes, 0 repeats
@lanodan @nintegge so for example we get a notification that there's a CVE in Linux kernel which is present in half of the docker images we use, but that kernel never runs, so it doesn't matter if it parses ext superblocks wrong.
(DIR) Post #AG4dOAOBkpnGF0D17I by lanodan@queer.hacktivis.me
2022-02-02T17:56:31.125610Z
1 likes, 1 repeats
@wolf480pl @nintegge I would tend to say that if a software is used and has a CVE, by default you are affected.Knowing if a program is affected by a vulnerability in a library can be a bit hard, for an operating system or python it can be basically impossible.At least that's why I tend to strongly avoid software which can be dangerous or is too gigantic and generally try to throw away everything not needed.
(DIR) Post #AG4dVHTlnBICG1DCXg by wolf480pl@mstdn.io
2022-02-02T17:57:51Z
0 likes, 0 repeats
@lanodan @nintegge Yeah but what I'm asking is, if you can't avoid having gigantic dependencies because it's not up to you how your company develops software, how do you deal with gigantic list of CVEs?
(DIR) Post #AG4dqDPk6JJtjPJJTM by lanodan@queer.hacktivis.me
2022-02-02T18:01:35.061896Z
0 likes, 0 repeats
@wolf480pl @nintegge I would be willing to bet actual money that they don't or they have an army of developers to try to cope with it.In any case it's a sinking ship.
(DIR) Post #AG4eA2tKvwF6t5bnjE by pony@blovice.bahnhof.cz
2022-02-02T18:05:13.290521Z
0 likes, 0 repeats
@wolf480pl for what? if it's a paid product, i'd expect the vendor giving me updates (both for the software and in a sense of sending bulletins with relevant info), after all, that's what i pay for, if it's more like watching openssl, i just have to do it and then mitigate/fix, would just watch with tickets
(DIR) Post #AG4eHY6BIvoPhaC7o8 by wolf480pl@mstdn.io
2022-02-02T18:06:33Z
0 likes, 0 repeats
@pony yeah but imagine you're getting updates from 30 vendors and 50 openssls and now you need to put them all in one place, sort them, figure out which apply to you and which don't, and harass the right developers to update their requirements.txt or other pom.xml
(DIR) Post #AG4eXVI5VnyzcuN6Aq by pony@blovice.bahnhof.cz
2022-02-02T18:09:27.970442Z
1 likes, 0 repeats
@wolf480pl i think we're using some tools like there's a scanner for dependencies (that only works for java anyway) that will trigger warning and such, but then you also need different process for infrastructure deps and whatnot, in our lovely corpo, they think there's a team of "security" watching it, but it doesn't work, it's just a bunch of morons trying to centralize everything
(DIR) Post #AG4ed7FzmX5IpC4LE8 by wolf480pl@mstdn.io
2022-02-02T18:10:27Z
0 likes, 0 repeats
@pony so yeah we have scanners like that too just... dunno what to do with the scan results, there's too many...
(DIR) Post #AG4etYtan1ELB5Qqv2 by pony@blovice.bahnhof.cz
2022-02-02T18:13:27.486149Z
0 likes, 0 repeats
@wolf480pl that sounds like you problem, you have to go through it once when you set it up, but once you marked the exceptions, the inflow of new ones should not really be that overwhelming
(DIR) Post #AG4ez5biazjm4yhvBA by wolf480pl@mstdn.io
2022-02-02T18:14:01Z
0 likes, 0 repeats
@pony hmm yeah but need a tool where I can like, mark exceptions
(DIR) Post #AG4f1ms8i16KqGftSa by pony@blovice.bahnhof.cz
2022-02-02T18:14:56.493361Z
0 likes, 0 repeats
@wolf480pl most of them are like that?
(DIR) Post #AG4fRJI3JhpGckxvUG by wolf480pl@mstdn.io
2022-02-02T18:19:31Z
0 likes, 0 repeats
@pony yeah but like, get it from all the scanners into one place and then mark exceptions?Is what I thought, but maybe I'm wrong...
(DIR) Post #AG4gXEm77IyUJQPtTc by nintegge@post.lurk.org
2022-02-02T18:31:47Z
0 likes, 0 repeats
@wolf480pl @lanodan well, if you have that mess of a dependency tree and can’t handle it, then the org can’t securely develop and/provide software. If you are the person with whom this bucket stop, then escalate to management. If security is something of significance to them, then they should give you appropriate resources. Otherwise it is a sinking ship as pointed out.
(DIR) Post #AG4gyzEyT23QF19EG0 by wolf480pl@mstdn.io
2022-02-02T18:36:50Z
0 likes, 0 repeats
@nintegge @lanodan It's kinda the other way around - we didn't really pay attention to these CVEs and we're trying to figure out if we could. I'm fine with going back to not paying attention to those, but would be nice to at least try, right?
(DIR) Post #AG4i932NJ0mcrncFvs by nintegge@post.lurk.org
2022-02-02T18:49:48Z
0 likes, 0 repeats
@wolf480pl @lanodan I recommend to try, because then you have data (tailored to your org). I advise picking the most valuable application/docker image (in terms of making money) and try to track all CVEs related to it. There the inventory is small and filtering becomes easier to be automated.