Explore the intricacies of open source CVE monitoring and management in this 40-minute Linux Foundation conference talk. Gain insights into the process of monitoring Common Vulnerabilities and Exposures (CVEs), determining their applicability, assessing severity, and finding fixes. Delve into the challenges of tracking CVEs due to inaccuracies in NVD/MITRE feeds and scanning tools. Learn techniques to mitigate issues and improve device security posture. Discover the DIY approach to CVE monitoring and patching, understand the pros and cons of upgrades versus backports, and examine CVE data quality issues. Investigate Yocto-specific solutions and improvements for CVE checking. Analyze delays in CVE reporting and explore strategies for leveraging work done by others. Gain knowledge about secure boot, chain of trust, and layered security approaches. Leave with valuable insights and a tools wishlist to enhance your open source security practices.
Open Source CVE Monitoring and Management - Cutting Through the Vulnerability Storm
Overview
Syllabus
Intro
CVE what?
How much does security mean to you?
CVE content
How to monitor CVES? Linux Distro model
DIY CVE monitoring
CVE monitoring in Yocto Bullin support for automatic checking CVES
I have a CVE list, now what?
DIY CVE Patching
Upgrade vs. Backport
Reasons to upgrade
CVE data quality (False positives and misses)
Yocto solutions
Yocto CVE report bugs' YMMV
Yocto CVE check improvements YMMV
Linux kernel CVES
Delays in CVE reporting / analysis
Fun stats on delays
Leveraging work done by others!
Secure boot and chain of trust
Layered approach
Tools wishlist
Take away
Taught by
Linux Foundation
