Keeping Up with Security Vulnerabilities

Keeping Up with Security Vulnerabilities

Yesterday we held our first Black Duck MasterClass, and if you missed it, you can still view the recording here. At 90 minutes long, it's full of information. We tried to keep it balanced and not go too far into the weeds, but tailoring content to a broad audience requires concessions. We’re going to have our next MasterClass in early January and very much want your feedback and suggestions on content.

One of the attributes of the MasterClass format is interactivity. We welcome questions, and take the time to address them during the session. In fact, if you view the recording, you’ll find we’re not afraid to interrupt the speaker with a question.

Security Vulnerabilities in glibc

One segment of the MasterClass contained a timeline for a glibc vulnerability disclosed earlier this year. CVE-2015-7547 covers a getaddrinfo stack-based buffer overflow. This vulnerability started out as a defect report in July 2015 and ultimately resulted in a high profile disclosure in February 2016. One live attendee at the MasterClass called me out on the timeline stating:

WTH... debian had fixed the GHOST glibc vuln (CVE-2015-0235) at 27.1.2015 for all distributions receiving security support. Your timelines are quite far off! https://lists.debian.org/debian-security-announce/2015/msg00025.html

Challenges Keeping Up

This question highlights a number of challenges in keeping up with vulnerabilities. In this case, there was confusion over which glibc vulnerability I was describing. CVE-2015-7547 and CVE-2015-0235 are two entirely different problems within the same package. It just happens that both were high profile, and CVE-2015-0235 was branded with the marketing name GHOST. Putting a marketing name on a vulnerability increases its visibility, which in turn means Site Reliability Engineers (SREs) remember it when they heard about it. The best example of this phenomenon is Heartbleed. We all remember Heartbleed and the work required to sort out fixes.

In the end what we see is just how confusing it is to keep up with vulnerability reports. New reports are constantly being issued. National data feeds often lag significantly, a case in point is Dirty Cow, whose CVE entry (CVE-2016-5195) has yet to make the NVD a week after hitting the press. Delays in data flow increase the risk of compromise, so having a clear understanding of what is running in an environment is critical. Having proactive notification of issues impacting your environment is something we all can have. Keeping up with open source vulnerability management need not be hard. Black Duck can help.

Black Duck Container Security MasterClass - Security Response Process

0 Comments
Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.
0 Comments

MORE BY THIS AUTHOR

DevConf, OpenShift and Black Duck

| Jan 27, 2017

It’s that time again, a kickoff to the year’s activities. For me, the first event is DevConf, where I’ll be speaking on the joys of security in an ever increasing Agile and DevOps world. As is my wont, I’ll be presenting concepts that both challenge existing paradigms and provide a way forward. It

| MORE >

A Resolution for Prosperity in Product Development

| Jan 4, 2017

For many, the start of a new year is a time of reflection and renewal. Every year we see a flurry of resolutions for the new year. These resolutions can take many forms and typically focus on health, lifestyle and prosperity. For this blog I’m going to focus a bit on the prosperity aspect.

| MORE >

Top 3 Open Source Security Lessons for 2016

| Dec 27, 2016

GHOST stories, Dirty COWs and IoT Attacks Three high profile open source security events that happened in 2016 and lessons can be learned from them. With another year under our belts, it’s a great time to look back at open source security vulnerabilities. #3 — CVE-2015-7547 CVE-2015-7547 is often

| MORE >