Finding our way out of the CVE dungeon
HTML-код
- Опубликовано: 27 июн 2024
- In his Upstream session, James Berthoty CEO of Latio Tech provides an overview of what the problem is with submitting CVEs to GitHub issues-why it's frustrating for compliance teams and maintainers both. In this clip, he introduces why the scanner mentality is preventing us from security the software supply chain.
Watch the full talk here: explore.tidelift.com/upstream...
Transcript:
The goal here is to find our way out of the CVE dungeon in which we have unfortunately locked ourselves in. So first, let's talk about the current process. So the frustrating game that we all play can be super annoying to deal with, if you've received some of these. I just went on an open source repo here and found sort of the first example, and there are so many of these things-I cringe so much as a security professional every time I see one of these. So Orca Security Scan finds vulnerability CVE 2023 in this repo, right? So the scanner that the company has bought, so whether they're using Orca, Sysdig, Wiz, Aqua, no matter what-first of all, it's probably Trivy under the hood. But once that scanner finds a CVE, there's something that compliance teams don't really know what to do with it, right? Because they've scanned this image that they're ingesting from an open source project that they're treating as though it's a vendor that they're paying for, then they are reporting that CVE as though it was a confirmed vulnerability to the vendor, and asking for a timeline to fix it. Oftentimes- you can see this was opened in March-the CVEs sort of just get ignored or fade away into oblivion, because there's no clear policy of what do we do, right? This a frustrating process for maintainers, because they are just given random CVEs that they're supposed to waste their time going to investigate, frankly, because the compliance team was too lazy to actually do the investigation themselves of if there's a vulnerability there. So to be fair to compliance teams, I wanted to show why it's not just laziness that causes these issues, but container vulnerability scanning is just extremely complicated, and it is a huge battleground for false positives. 
Наука
![Eminem - The Death of Slim Shady [Album Trailer]](http://i.ytimg.com/vi/X0HIrS6kUYI/mqdefault.jpg)
