6. Common Vulnerabilities and Exposures (CVE®)
● Publicly known cybersecurity vulnerabilities
● Example:
○ Heartbleed : CVE-2014-0160
■ OpenSSL
○ Shellshock: CVE-2014-6271
■ GNU Bash
7. atomic scan
● Scan a container or container
image for CVEs.
● Can scan all images or
containers at once.
● Plugin architecture for scan
tool.
From atomic CLI
8. How does this work?
● Detect the operating system
● Get the appropriate CVE feed from vendor
● Check the image or container with OpenSCAP
● Parse the results
11. CVE®
● CVE List is maintained The MITRE Corporation (not for profit)
● Sponsored by United States Computer Emergency Readiness Team.
● National Vulnerability Database (NVD):
○ Superset of CVE list.
○ Contains additional analysis, database and fine-grained search engine
○ Maintained by US National Institute of Standards and Technology (NIST)
○ Data represented using Security Content Automation Protocol (SCAP)
13. Heartbleed CVE in NVD
● https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
14. SCAP
● SCAP is a line of compliance standards managed by NIST.
● Provide a standardized approach to security e.g.
○ Automatically verifying the presence of patches
○ Checking system security configuration settings
○ Examining systems for signs of compromise
15. OpenSCAP
● Create a framework of libraries to improve the accessibility of SCAP and
enhance the usability of the information it represents.
● Awarded the SCAP 1.2 certification by NIST in 2014.