Sisyphus与CVE订阅：规模化的漏洞管理

**Authors
**Keziah Perez Sonder Plattner, Senior Software Engineer
Kadia Mashal, Engineering Manager

**作者
**KeziahPerez Sonder Plattner, 高级软件工程师
Kadia Mashal, 工程经理

Introduction

简介

Every engineer knows that security is a never-ending problem. Until we delete all our code and move into a cottage in the woods, we have to accept that there is no such thing as 100% secure software. You could be doing everything perfectly, and a publicly known vulnerability (CVE) could emerge for the most updated version of a third party library in your infrastructure. Things are secure until they are not. Like with Sisyphus, the boulder will never reach the top of the hill.

每个工程师都知道，安全是一个永无止境的问题。在我们删除所有的代码并搬到森林里的小屋里之前，我们必须接受没有100%安全的软件这一事实。你可能做得很完美，但你的基础设施中的第三方库的最新版本可能出现一个公开的漏洞（CVE）。事情是安全的，直到它们不安全。就像西西弗斯一样，巨石永远不会到达山顶。

Rather than eliminating vulnerabilities, the goal of a vulnerability management program should be to quickly and effectively detect and respond to the barrage of threats that surface every day. There are many scanners and vendor tools that purport to solve the problem. But with the scanners comes the problem of a never-ending flood of CVE reports, thus slowing down our ability to remediate in a timely manner.

漏洞管理计划的目标不是消除漏洞，而是快速有效地检测和应对每天出现的大量威胁。有许多扫描器和供应商的工具声称可以解决这个问题。但是，随着扫描器的出现，CVE报告永无休止地涌入，从而减慢了我们及时补救的能力。

Vulnerability Management Lifecycle

漏洞管理的生命周期

If you are new to vulnerability management, here are the basics of the lifecycle.

如果你是漏洞管理的新手，以下是生命周期的基本情况。

Fig. 1: The Vulnerability Management Lifecycle

图 1: 漏洞管理的生命周期

Detection

探测

Find potential vulnerabilities in our infrastructure, anywhere from CVEs to insecure misconfigurations.

在我们的基础设施中找到潜在的漏洞，从CVE到不安全的错误配置的任何地方。

Risk Assessment

风险评估

Apply a risk framework to the findings to identify true positives and weed out non-applicable vulnerabilities.

对调查结果应用风险框架，以确定真正的积极因素，并剔除不适用的漏洞。

Reporting

报告

Find the team and/or person best suited to address it and track progress in a methodical way. In addition, centrally track all vulnerabilities in order to have a full view of our attac...