Open Source CVE Monitoring and Management: Cutting Through the Vulnerability Storm
A key aspect to maintaining device security is monitoring and addressing known vulnerabilities in open source software in a timely fashion. This presentation will help you get started with the process …
Talk Title | Open Source CVE Monitoring and Management: Cutting Through the Vulnerability Storm |
Speakers | Akshay Bhat (Technical Director - Security, Timesys) |
Conference | Open Source Summit + ELC North America |
Conf Tag | |
Location | San Diego, CA, USA |
Date | Aug 19-23, 2019 |
URL | Talk Page |
Slides | Talk Slides |
Video | |
A key aspect to maintaining device security is monitoring and addressing known vulnerabilities in open source software in a timely fashion. This presentation will help you get started with the process of monitoring CVE’s, determining applicability, assessing the severity and finding fixes.We take a deeper dive into some of the challenges in tracking CVE’s due to NVD/MITRE feeds having incorrect/missing data, leading to missed vulnerabilities and a false sense of security. The problem is compounded by inaccuracies in scanning tools and the way fixes are tagged in build systems resulting in a alarming number of false positives.We review the CVE’s reported by cve-check-tool in Yocto and determine the root cause for inaccuracies. We also discuss techniques to mitigate the issues so that the entire community can benefit. This presentation will enable you to improve your device security posture.