How to handle vulnerabilities

Created by Pierre Zemb / @PierreZ

ISEN Brest - 2016

Why?

Summary

  • What is a vulnerability/CVE?
  • What's happening on a server?
  • Immutable Infrastructure
  • Conclusion

    Appendices:

  • Overview of GNU/Linux distributions
  • The new Stack by Google
  • Immutable application

What is a vulnerability?

Intersection of:

  • The presence of a flaw.
  • The possibility for a attacker to access it.
  • The possibility for a attacker to exploit it.

What is a CVE?

Common Vulnerability Exposure

  • A unique identifier
  • A description
  • A reference
  • An entry date
  • A priority

Where can I find a list?

Vulnerabilities by year, taken from CVE Details

76826 vulnerabilities

Writing code is hard

"The design of Linux and BSD is secure. The implementation is not."

Why Rust? by Redox-OS

Vulnerabilities by type, taken from CVE Details

So, I need to upgrade my servers on a daily basis...

What's happening on a server?

  • Backup
  • Updates
  • Certifications
  • Process
  • Provisionning
  • Security
  • Hardware Maintenance

What's happening on a server?

All the servers are generating a infinite number of state

Immutable infrastructure

Two states:

  • Functional
  • Not functional

App update? OS update? Hardware maintenance?

Redeploy new instance and delete the old one

Service uptime
!=
Server uptime

Handle data?

Use different volumes!

  • One volume for the OS
  • Short-lived volume for the data

Conclusion

"There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked"
  • Security is hard
  • Handling CVE is hard
  • Automation and immutable infrastructure are the key

Do you have any questions?

Overview of GNU/Linux distributions

Binary-based distribution

Source-based distribution

Overview of GNU/Linux distributions

Source-based distribution

Advantages:

  • Light
  • Hackability
  • Upstream-friendly

Documented vulnerabilities per year provided by SRCCLR

The new Stack by Google

  • Applications Ops
  • Cluster Ops
  • Kernel/OS Ops
  • Hardware Ops

Immutable applications

Kubernetes