Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stop Chasing CVEs

Nemo
October 05, 2024
Technology
0
16

Stop Chasing CVEs

Waiting for vulnerability alerts to secure your systems is a flawed strategy. Did you spend time tracking down and patching systems for meltdown, shellshock, and log4j? So did I. I've also probably helped you track your product EOLs by creating endoflife.date.

This talk takes all of my experience and focuses on a single core learning - you need to stop chasing CVEs.

Here's the core argument:

1. CVEs are Too Late: They're after-the-fact alerts. By the time you know, so do attackers.
2. Upgrading Isn't Always an Option: Real-world constraints often make immediate patching a pipe dream.
3. You Can't Patch Everything: Sometimes, technical or operational hurdles make it impossible to fix known vulnerabilities.
4. Regular Updates Are Key: Ditch the CVE chase. Regular, proactive updates are your best defence.

The remainder of the talk will go into specific threat models and why enforcing proactive updates is the cleanest strategy. It will also go into why this isn't a silver-bullet either, but needs to be practised alongside other defence in depth measures.

Nemo

October 05, 2024
Tweet

More Decks by Nemo

See All by Nemo
Ideas are Worthless
captn3m0
0
21
endoflife.date Recommendations
captn3m0
1
240
Sanskari Proxy
captn3m0
0
49
Laravel Upgrade Stories
captn3m0
0
70
Terraforming Tatooine
captn3m0
0
270
You don't need Blockchain
captn3m0
0
200
hillhacks quiz 2017
captn3m0
0
260
Security Horror stories in Payments
captn3m0
0
470
All Software Sucks
captn3m0
0
220

Other Decks in Technology

See All in Technology
製造現場のデジタル化における課題とPLC Data to Cloudによる新しいアプローチ
hamadakoji
0
210
Microsoft Intune アプリのトラブルシューティング
sophiakunii
1
410
フロントエンド メタフレームワーク 選定の際に考えたこと
yuppeeng
0
600
Spring Frameworkの新標準!? ~ RestClientとHTTPインターフェース入門 ~
ogiwarat
2
260
ドメイン名の終活について - JPAAWG 7th -
mikit
31
17k
隣接領域をBeyondするFinatextのエンジニア組織設計 / beyond-engineering-areas
stajima
1
230
AI機能の開発運用のリアルと今後のリアル
akiroom
0
250
SREの組織類型に応じた リーダシップの考察
kenta_hi
PRO
1
620
フルカイテン株式会社 採用資料
fullkaiten
0
40k
2024年グライダー曲技世界選手権参加報告/2024 WGAC report
jscseminar
0
200
エンジニアが一生困らない ドキュメント作成の基本
naohiro_nakata
2
150
形式手法の 10 メートル手前 #kernelvm / Kernel VM Study Hokuriku Part 7
ytaka23
5
750

Featured

See All Featured
Unsuck your backbone
ammeep
668
57k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Rails Girls Zürich Keynote
gr2m
93
13k
Optimizing for Happiness
mojombo
376
69k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
27
2k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
43
6.8k
Building an army of robots
kneath
302
42k
BBQ
matthewcrist
85
9.3k
Being A Developer After 40
akosma
86
590k
What's in a price? How to price your products and services
michaelherold
243
12k
The Cult of Friendly URLs
andyhume
78
6k

Transcript

  1. Stop Chasing CVEs nemo | Oct 2024 Mercari India Security

    Conclave

  2. About Me Founding Engineer @ Razorpay Creator, endoflife.date OSS Maintainer

    captnemo.in | blr.today Recurse Center Alum Takshashila Scholar Speedcuber, Homelabber, Niradhaar

  3. endoflife.date endoflife.date/k8s endoflife.date/eks

  4. None
  5. None
  6. None

  7. Stop Chasing CVEs

  8. 40k MITRE NIST CVEs issued yearly By Scored By NVD

    Published As

  9. Aside 1: NIST/NVD/CVE Drama • NIST scaled back the NVD

    program in April 2024. • As of May 20, of all new vulnerabilities since February 93.4 percent remained unanalyzed. • NIST amended its five-year, $125 million IT contract with Maryland-based Analygence to include support for clearing the NVD backlog. • As of September 21, 2024, 72.4% of CVEs (18,358 CVEs) in the NVD have yet to be analyzed (compared to 93.4% as of May 19, 2024). https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/

  10. https://vulncheck.com/blog/nvd-backlog-exploitation-lurking

  11. Aside 2: The CVE System is broken • NVD makes

    up vulnerability severity levels • CVE-2020-19909 is everything that is wrong with CVEs • NVD damage continued | daniel.haxx.se • CVEMITRECVSSNVDCNAOSS WTF - (Talk) • Resume-chasing CVEs Vulnerability Scanners do not get this nuance.

  12. Stop Chasing CVEs

  13. 1/ CVEs are too Late

  14. CVE-2024-6468

  15. CVE-2024-6468 enterprise-only

  16. 2/ Fixing a CVE might be impossible

  17. endoflife.date/python

  18. endoflife.date/python

  19. endoflife.date/centos

  20. None

  21. Distro Container OSS? Backporting fixes on your own is harder

    than it seems.

  22. 4/ Detections can be misleading.

  23. A rough representation of how Vulnerability Scanners work.

  24. Your SBOM can lie to you https://github.com/anchore/syft/issues/1197 (Fixed)

  25. 5/ Regular Updates are Key

  26. None

  27. Always run a supported release Upgrade Safely ❏ Have Better

    Tests ❏ Run a minimal distro ❏ Use distroless containers

  28. Always run a supported release Upgrade Safely ❏ Have Better

    Tests ❏ Run a minimal/rolling distro ❏ Use distroless containers Regularly ❏ Track your Inventory ❏ Track your Support Cycles ❏ Risk-rank your inventory ❏ Understand your Upgrade Paths.

  29. Supply Chain Security is moving fast • SBOM ecosystem is

    growing fast. • NIST/PCI/CIS/… Guidelines are evolving towards this reality. • Build a Inventory, but double check it. • Run your scanners, but don’t believe them on everything. • Don’t forget cloud versioned services (RDS/EKS/…)

  30. Reach Out captnemo.in