Scanner Identifying components with known vulnerabilities • e.g. Trivy, Clair, Aqua Scanner • Unknown vulnerabilities • Web application vulnerability scanners , Fuzzing tool • e.g. OWASP ZAP, OSS-Fuzz Designed by vvstudio / Freepik Target
• Software written by you • 3rd Party vulnerabilities • Well-known software • e.g. OpenSSL, Nginx Your Vulnerabilities 3rd Party Vulnerabilities Designed by vvstudio / Freepik Target
/ disable features ▪Link with libraries ▪Re-package 3rd-party developers write source Binary distribution Upstream Distribution ▪Fix bugs that aren’t in upstream ▪Apply security patches Compiled & packaged Package repository
may take months to reach the package repositories • Often don’t want to update to latest version for an upstream fix to a security vulnerability • Debian often backports security fixes to older versions and repackages them
• Cron Jobs on Travis CI • Pros: • Stability Some APIs often return 500 • Fetch only the difference • History e.g. CVSS score update https://github.com/aquasecurity/vuln-list
issues with security label • https://gitlab.alpinelinux.org/alpine/aports/issues?scope=all&label_name[]=Security • Check for differences (git diff) Discussing with developers