How to handle vulnerabilities
Created by Pierre Zemb / @PierreZ
ISEN Brest - 2016
Why?
Summary
- What is a vulnerability/CVE?
- What's happening on a server?
- Immutable Infrastructure
- Conclusion
- Overview of GNU/Linux distributions
- The new Stack by Google
- Immutable application
Appendices:
What is a vulnerability?
Intersection of:
- The presence of a flaw.
- The possibility for a attacker to access it.
- The possibility for a attacker to exploit it.
What is a CVE?
Common Vulnerability Exposure
- A unique identifier
- A description
- A reference
- An entry date
- A priority
Where can I find a list?
Vulnerabilities by year, taken from CVE Details
76826 vulnerabilities
Writing code is hard
"The design of Linux and BSD is secure. The implementation is not."
Vulnerabilities by type, taken from CVE Details
So, I need to upgrade my servers on a daily basis...
What's happening on a server?
- Backup
- Updates
- Certifications
- Process
- Provisionning
- Security
- Hardware Maintenance
What's happening on a server?
All the servers are generating a infinite number of state
Immutable infrastructure
Two states:
- Functional
- Not functional
App update? OS update? Hardware maintenance?
Redeploy new instance and delete the old one
Service uptime
!=
Server uptime
Handle data?
Use different volumes!
- One volume for the OS
- Short-lived volume for the data
Conclusion
"There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked"
- Security is hard
- Handling CVE is hard
- Automation and immutable infrastructure are the key
Do you have any questions?
Overview of GNU/Linux distributions
Binary-based distribution
Source-based distribution
Overview of GNU/Linux distributions
Source-based distribution
Advantages:
- Light
- Hackability
- Upstream-friendly
Documented vulnerabilities per year provided by SRCCLR
The new Stack by Google
- Applications Ops
- Cluster Ops
- Kernel/OS Ops
- Hardware Ops
Immutable applications
Kubernetes