Summary
-
What is a vulnerability/CVE?
-
What's happening on a server?
-
Immutable Infrastructure
-
Conclusion
Appendices:
-
Overview of GNU/Linux distributions
-
The new Stack by Google
-
Immutable application
What is a vulnerability?
Intersection of:
-
The presence of a flaw.
-
The possibility for a attacker to access it.
-
The possibility for a attacker to exploit it.
What is a CVE?
Common Vulnerability Exposure
- A unique identifier
- A description
- A reference
- An entry date
- A priority
Writing code is hard
"The design of Linux and BSD is secure. The implementation is not."
Why Rust? by Redox-OS
So, I need to upgrade my servers on a daily basis...
What's happening on a server?
-
Backup
-
Updates
-
Certifications
-
Process
-
Provisionning
-
Security
-
Hardware Maintenance
What's happening on a server?
All the servers are generating a infinite number of state
Immutable infrastructure
Two states:
-
Functional
-
Not functional
App update? OS update? Hardware maintenance?
Redeploy new instance and delete the old one
Service uptime
!=
Server uptime
Handle data?
Use different volumes!
-
One volume for the OS
-
Short-lived volume for the data
Conclusion
"There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked"
-
Security is hard
-
Handling CVE is hard
-
Automation and immutable infrastructure are the key
Do you have any questions?
Overview of GNU/Linux distributions
Source-based distribution
Advantages:
-
Light
-
Hackability
-
Upstream-friendly
Documented vulnerabilities per year provided by SRCCLR
The new Stack by Google
-
Applications Ops
-
Cluster Ops
-
Kernel/OS Ops
-
Hardware Ops
Immutable applications
Kubernetes