Download - SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here
![Page 1: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/1.jpg)
SECURING THE VALUE OF SUBSCRIPTIONSubheading goes here <-- we should get one of those
Mark ThackerPlatform/RHEL Business Unit
CRobAmbassador of Red Hat Product Security
Thursday, May 9, 1:00 p.m.-1:45 p.m.
![Page 2: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/2.jpg)
AGENDA● Greetings from MThacker & CRob - we do stuff!● Open Source Communities● What Red Hat brings to OSS● How a CVE works● Why are the scores different?● 2018 Red Hat Product Security Fun Facts● Closing
![Page 3: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/3.jpg)
● CRob, n, adj, and v○ Pronunciation: U.S. (K-robe)
● Over 20 years of Enterprise-class Architecture, Engineering, Operations, and Security experience
● Participant in the FIRST PSIRT SIG, VulnCoord SIG, and others. Co-Author FIRST PSIRT Services Framework
● A Summit “Top Speaker” 2017 & 2018● Pirate-enthusiast & hat-owner● Ambassador of Red Hat Product Security
SPEAKER INTRODUCTIONS● MThacker, n
○ Pronunciation: U.S. (Mmm-Th-ak-r)○ Or Mark Thacker if you prefer
● Over 25 years of Enterprise-class Architecture, Operations, and Security experience
● Multi-time Summit presenter, Common Criteria poster-child, Pragmatic Marketing certified
● Principal Product Manager for RHEL Security
![Page 4: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/4.jpg)
COMMUNITIES
A Day in the Life of a Package
![Page 5: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/5.jpg)
RED HAT'S UNIQUE APPROACHFROM COMMUNITY TO ENTERPRISE
![Page 6: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/6.jpg)
DECISIONS● There are literally
THOUSANDS of packages that make up our Product Portfolio.
○ Product Security actively monitors over 450,000 packages
● How does Red Hat decide what packages or features get included?
![Page 7: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/7.jpg)
Upstream First ! We are Community Leaders !
RED HAT SUPPLY CHAIN SECURITYReducing Risk and Making Open Source Consumable by the Enterprise
Compile flags for hardening + preventing exploits
Static code analysis
Fedora new package review request in Bugzilla
Tracking packages for release versions in Fedora
All packages digitally signedSecure Distribution
Continuous security
monitoring & updates
Extensive QA testing per release
Selected Fedora packages make it into RH internal git repo for RHEL. Developer must sign all commits.
![Page 8: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/8.jpg)
PRODUCT MANAGEMENT MEETS SECURITY
![Page 9: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/9.jpg)
THE VOICE OF THE CUSTOMER
![Page 10: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/10.jpg)
CERTIFICATIONS?
![Page 11: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/11.jpg)
● Federal Information Protection Standard (FIPS)
● US Public Sector - often required by any regulated customer
● Requires use only of approved algorithms and key sizes
● Vendor implementation independently verified and proven
● Only valid for the specific module (not downstream, not other distros)
SECURITY CERTIFICATION
● World-wide recognition of independently verified security claims
● Required by many public sector agencies
● RHEL, Certificate Server and others
● Many years of investment with aggressive re-certifications planned
● Only valid for the product certified (i.e. not downstream / not other distros)
![Page 12: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/12.jpg)
THE ANATOMY OF A CVE
![Page 13: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/13.jpg)
BUGS, DEFECTS, VULNERABILITIES
![Page 14: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/14.jpg)
RED HAT PRODUCT SECURITY
Investigating issues and then Identifying affected
products
Communicating resolution options to ensure subscribers
can protect themselves. CSAw process for significant issues.
Determining any necessary remediation
actionsEvaluating the impact
Red Hat Product Security works constantly to ensure timely and appropriate security fixes for our supported products and services. Our security response process is carefully designed and thoroughly validated to manage
vulnerabilities.
Our team ensures product and service security by:
![Page 15: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/15.jpg)
CUSTOMER EXPERIENCE & ENGAGEMENTRed Hat Customer Experience and Engagement is strategically positioned within the engineering organization, creating a more direct route for customer-driven product improvements and faster
engineering related fixes.
CUSTOMER EXPERIENCE AND ENGAGEMENT
Customer Platform
Product Security
Development & Operations
Global Support Services
Quality Engineering
CEE Strategic Services
Global Customer Success
Customer Content Services
CUSTOMER PORTAL
PRODUCTS AND TECHNOLOGIES
![Page 16: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/16.jpg)
HOW A VULN REPORT TURNS INTO A PATCH
![Page 17: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/17.jpg)
YOUR VOICE COUNTS
![Page 18: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/18.jpg)
WHAT IS A SECURITY VULNERABILITY?
A security vulnerability is a software, hardware or firmware flaw that could allow an attacker to interact with a system in a way it is not supposed to.
There are many types of security vulnerabilities, among which the most concerning are:
● Compromise of sensitive data (keys, financial information, customer information)● Ability to execute arbitrary code on remote systems● Denial of availability for mission-critical services
The severity of a vulnerability is determined by:
● the complexity of the vulnerability being exploited, ● the impact to the system or asset that is exposed, and ● the value of that system or asset
![Page 19: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/19.jpg)
COMMON VULNERABILITIES AND EXPOSURES
CVEs provide a transparent, vendor-agnostic way to identify and track security issues and identifies A unique vulnerability
● Red Hat Product Security assigns CVEs to every security issue that impacts our products
● CVEs may be assigned retroactively to previous bugs that are found to be security-relevant
● All CVEs affecting Red Hat products are listed in our public database
https://access.redhat.com/security/security-updates/#/cve
![Page 20: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/20.jpg)
CVE IN-DEPTH
CVE’s all contain a unique identifier
CVE-2017-42
CVE’s all contain a brief description
A flaw in the memory manager of the Babel Fish could allow a malicious attacker to change output from the Babel Fish’s translation
CVE’s all include relevant references
Megadodo Industries Bug Tracker: 42 www.md.org.net.com/bz=42.htm
https://cve.mitre.org/about/index.html
![Page 21: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/21.jpg)
CVSS - COMMON VULNERABILITY SECURITY SCORE
Product Management
Red Hat Product Security
![Page 22: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/22.jpg)
HOW TO SCORE USING CVSSDetermine the base score
There are 8 dimensions of the flaw to review:
● Attack Vector● Attack Complexity● Privileges Required● User Interaction● Scope● Confidentiality● Integrity● Availability
Each is rated (mostly) on a High-Low-None scale
Those playing on the “Expert Level” could also look at these aspects of the issue
Temporal
● Exploit Code Maturity
● Remediation Level● Report Confidence
Environmental
● CIA Requirement
● Modified base score dimension
So you can modify the
severity based off of *YOUR*
environment!
![Page 23: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/23.jpg)
WHAT DOES A CVSS SCORE LOOK LIKE?
CVSS:3.0- 9.8/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This is the version of CVSS used to score this flaw
Scope - The scope is unchanged, so the attack only works with the permissions of the service it has compromised.
C.I.A. - So the Confidentiality, Integrity, and Availability of files can be completely compromised.
This is the score for the issue.
Attack Complexity - The attack isn’t very hard to execute
Attack Vector - So the attack comes across the network
Privileges Required - It doesn’t need any local privileges
User Interaction - The attack doesn’t require any user interaction
https://www.first.org/cvss/calculator/3.0
![Page 24: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/24.jpg)
CVSS != RISKCVSS is just one data point in risk assessment
Other factors that Red Hat Considers
● Is the flaw even applicable to a Red Hat product?● How is the code built in Red Hat products (compiler flags, etc)?● Does the ‘fix’ break compatibility?● Are there built-in mitigations (SELinux) that reduce risk?● What is the lifecycle of the affected product?
What risk factors do you need to consider?
● How, and where, are the affected products deployed?● Performance trade-off versus risk assessment● Regulatory compliance requirements versus actual risk
![Page 25: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/25.jpg)
BUT WHY IS IT DIFFERENT?
![Page 26: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/26.jpg)
WHERE DO THE SCORES COME FROM?
● Issue not necessarily scored by technology-expert
● Score does not take into account things like compiler switches, default hardening, nor tools like SELinux
● No testing of reproducer against running environment
● Only ONE score can exist (defers to package owner, then reporter, then MITRE reviewer)
National Vulnerability Database - NVD
● Issue scored by Red Hat Product Security
● Score accounts for build and configuration options that are Red Hat specific.
● Score reflects actual testing and triage of the issue and specific product versions affected
● Each product impacted could have different scores based off of default configuration
Red Hat
![Page 27: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/27.jpg)
WHY ARE THE SCORES DIFFERENT?
Sec. Researcher
Upstream
Vendor
Red Hat
MITRE/NVDCVSS:3.0- 9.8/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:3.0- 9.8/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:3.0- 9.2/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:3.0- 7.2/AV:N/AC:L/PR:N/UI:N/S:U/C:L/ I:L/A:H
CVSS:3.0- 4.3/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
![Page 28: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/28.jpg)
RED HAT SEVERITY RATINGS
https://access.redhat.com/security/updates/classification/
![Page 29: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/29.jpg)
WHAT IF YOU DISAGREE?
![Page 30: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/30.jpg)
REPORTING SECURITY VULNERABILITIESIf you think you have identified a security vulnerability, contact Product Security at [email protected]
● notably for Red Hat products● strongly recommended for upstream components in our products
Product Security will analyze and appropriately handle any reports we receive.
In the case of upstream projects, Product Security will help coordinate additional conversations and work with stakeholders on coordinated disclosure time if required.
![Page 31: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/31.jpg)
CSAWs are specialized activities designed to manage high-touch events:
CUSTOMER SECURITY AWARENESS EVENTS
● Critical or Important severity● Extensive media attention● Active exploitation
https://access.redhat.com/articles/2968471
CSAW process helps ensure:● Expedited solutions● Transparency and completeness of
customer-facing communication
![Page 32: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/32.jpg)
2018 VULNERABILITY DATA
![Page 33: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/33.jpg)
![Page 34: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/34.jpg)
VULNERABILITY METRICSA snapshot of Red Hat Product Security response over the years
https://www.redhat.com/security/data/metrics/
![Page 35: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/35.jpg)
SECURITY FIXES ARE BACKPORTED● 10-year life cycle of major releases
○ Add-On Extended Life-cycle Support (ELS) for RHEL 5 and RHEL 6● Extended Update Support (EUS) for those who wish to standardize on a specific
minor release for 24 months (vs normal 6 months)○ Errata and patch support for minor releases
![Page 36: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/36.jpg)
VULNERABILITY ASSESSMENT TOOLS● Recommend using OpenSCAP where possible.
○ OpenSCAP uses Red Hat security metadata○ 3rd party scanning tools may not properly
ingest RH data which understands backports and can help eliminate potential false positives
● Red Hat Support Delivery / TAMs can help
https://access.redhat.com/security/updates/backporting/
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sect-using_oscap
![Page 37: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/37.jpg)
IN CLOSING
● MThacker & CRob are really great guys (seriously!)● Open Source Communities - are AWESOME!!● What Red Hat brings to OSS - Hats and such● How a CVE works - Another day, another vuln● Why are the scores different? ...for Reasons● 2018 Red Hat Product Security Fun Facts● Closing - ...uh...this slide
![Page 38: SECURING THE VALUE OF SUBSCRIPTION€¦ · SECURING THE VALUE OF SUBSCRIPTION Subheading goes here](https://reader034.vdocument.in/reader034/viewer/2022042205/5ea77feb406a9268065b361d/html5/thumbnails/38.jpg)
CRob_at_RedHat_dot_com@RedHatCRob
mthacker_at_RedHat_dot_com@thackman