Secure software supply chains with 0 vulnerabilities sounds like a great idea, but once you start looking through entire dependency chains and large systems, it can be a lot harder to achieve than one might expect. Using the free, open source, CVE Binary Tool vulnerability scanner (written in python!), we'll show what it looks like to set up vulnerability scanning, what kinds of fun things you find, and how keeping things up to date can mean an ongoing maintenance burden that is more like a free puppy than a free beer. We'll talk about how naive policies, governmental mandates and capitalism may ruin your day, and what we can do to stay secure and help everyone get past the puppy phase without sending anyone back to the pound.
Why should you care about known vulnerability scanning? (3 minutes)
- What is supply chain security?
- Why are governments and major companies freaking out about it right now?
Why should you listen to me? (2 minutes)
- brief intro/credentials/experience: I've got a phd in security, work in open source security for a major company, and maintain a tool for open source teams to do vulnerability scanning for free
- also, a picture of my puppy and explanation of how I understand "free as in puppies" a lot more deeply now
How do I do a known vulnerability scan? (5 minutes)
- This will focus on using CVE Binary Tool (because it's what I know best and it should be interesting to a pyCascades audience) but I will mention some other tools available for free to open source developers
- CVE Binary Tool is free, open source and written in python. Lots of our new features have been developed as part of the Python Software Foundation's summer mentoring program under the Google Summer of Code banner.
- Two types of scans:
1. scans to find components -- how does that work?
2. scanning a list of known components -- how to prepare a software bill of materials (SBOM)
What do I do when it finds something? (5 minutes)
- how to triage a scan & fix issues
- Types of unfixed issues, how they happen, and what to do:
1. Fix is still in progress
2. Issue is disputed/incorrect
3. Issue is reporting an intentional behaviour
4. Developers will not fix the issue
Why is known vulnerability scanning going to ruin the world? (8 minutes)
- Is it more expensive to fix vulnerabilities or prevent people from reporting them?
- Can you ever have a large system with 0 known vulnerabilities?
- What should we be doing about the quality of publicly known vulnerabilities, if anything?
- Is it possible to make policies that won't ruin everything?
Conclusions (2 minutes)
- How puppy raising & security are great (except when they aren't)
- how both get better after a few months and some experience!
