Keeping Up with Open Source Security Vulnerabilities

Keeping Up with Open Source Security Vulnerabilities

Yesterday we held our first Black Duck MasterClass, and if you missed it, you can still view the recording here. At 90 minutes long, it's full of information. We tried to keep it balanced and not go too far into the weeds, but tailoring content to a broad audience requires concessions. We’re going to have our next MasterClass in early January and very much want your feedback and suggestions on content.

One of the attributes of the MasterClass format is interactivity. We welcome questions, and take the time to address them during the session. In fact, if you view the recording, you’ll find we’re not afraid to interrupt the speaker with a question.

Open Source Security Vulnerabilities in glibc

One segment of the MasterClass contained a timeline for a glibc vulnerability disclosed earlier this year. CVE-2015-7547 covers a getaddrinfo stack-based buffer overflow. This vulnerability started out as a defect report in July 2015 and ultimately resulted in a high profile disclosure in February 2016. One live attendee at the MasterClass called me out on the timeline stating:

WTH... debian had fixed the GHOST glibc vuln (CVE-2015-0235) at 27.1.2015 for all distributions receiving security support. Your timelines are quite far off!

Challenges Keeping Up

This question highlights a number of challenges in keeping up with open source security vulnerabilities. In this case, there was confusion over which glibc vulnerability I was describing. CVE-2015-7547 and CVE-2015-0235 are two entirely different problems within the same package. It just happens that both were high profile, and CVE-2015-0235 was branded with the marketing name GHOST. Putting a marketing name on a vulnerability increases its visibility, which in turn means Site Reliability Engineers (SREs) remember it when they heard about it. The best example of this phenomenon is Heartbleed. We all remember Heartbleed and the work required to sort out fixes.

In the end what we see is just how confusing it is to keep up with vulnerability reports. New reports are constantly being issued. National data feeds often lag significantly, a case in point is Dirty Cow, whose CVE entry (CVE-2016-5195) has yet to make the NVD a week after hitting the press. Delays in data flow increase the risk of compromise, so having a clear understanding of what is running in an environment is critical. Having proactive notification of issues impacting your environment is something we all can have. Keeping up with open source vulnerability management need not be hard. Black Duck can help.

Black Duck Container Security MasterClass - Security Response Process

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Top 4 DockerCon 2017 Sessions

| Apr 12, 2017

DockerCon 2017 is around the corner, starting in a few short days. Like most attendees, I like to look for the sessions that most impact my professional life. Lately that’s container security at production scale, and if you’ve dug into the topic in the past you’ll know it’s a bit messy! The

| MORE >

Vulnerability Information Sources: The Hacker News vs. NIST

| Mar 16, 2017

While that may be a catchy title, it’s also the question I've been asking attendees at SCALE and Container World over the past few weeks. More precisely, “Where would you rather get your security vulnerability information from?” Now I’m going to pause here and let that sink in for a minute. Think

| MORE >

DevConf, OpenShift and Black Duck

| Jan 27, 2017

It’s that time again, a kickoff to the year’s activities. For me, the first event is DevConf, where I’ll be speaking on the joys of security in an ever increasing Agile and DevOps world. As is my wont, I’ll be presenting concepts that both challenge existing paradigms and provide a way forward. It

| MORE >