How secure is Linux? Patching, static/dynamic analysis, etc...
Are patching services, or kernel developers, or pentesters reliably patching all bugs and vulnerabilities found with the current set of static and dynamic analysis tools that exist today? If they are not, then who is?
It seems like there should be someone or some entity that is capable of doing this. Also, I know that not all bugs can be guaranteed to be found. I just thought using the tools available today that there would be someone or some website devoted to patching the kernel in this manner. Does this all make sense or am I not looking at this problem correctly? |
For the kernel and associated sub-systems, you can start here : https://en.wikipedia.org/wiki/Linux_kernel_mailing_list.
For other services etc that run on Linux, google the home site of each one... |
Quote:
Consider this: The same Operating System kernel powers >70% of the world's smart phones (Android uses the Linux kernel), and all of the top 500 super computers. Sources: https://gs.statcounter.com/os-market...bile/worldwide https://www.stackscale.com/blog/most...mputers-linux/ That doesn't happen without security. |
There are, in fact, several "white hat" international security monitoring services, such as CERT, who make it their daily business to gather and immediately publicly disclose(!) known security vulnerabilities and to coordinate the process of developing responses to them.
The principle is that there can never be "security by obscurity." Quite the opposite. Every major operating system, for every platform "from mainframe to mobile," is constantly involved in this process. You should always immediately install every "security update" just as soon as it is published, or simply arrange for your computer(s), and phone(s), to do so automatically. "Time is of the essence." But also remember: "Security is a process." The fundamental nature of computers, borne by their sheer complexity, is that "there will always be another hole," and always another person looking for it – regardless of the color of his "hat." And also: "The greatest security vulnerability is always located between two ears." :) |
Quote:
|
obviously there are errors, problems, security holes, lazy developers. So there will be always something to patch.
We always find and fix bugs and in the meantime we create new ones (and they are always different and probably harder to find). |
Thank you for the informatio. Very informative!
Who is winning, black hat or white hat -- in terms of finding vulnerabilities and exploiting? If security is a process, is there no quick fix to prevent my system from getting hacked? Must I hire a security consultant or is this something I can do on my own? How is it that important organizations are preventing exploitation? Are they relying on this idea that security is a process and simply updating their OS when there is a new security update? How does one bridge the gap between time of discovery of a vulnerabily and patching it? |
Quote:
No operating system is perfectly secure that is still fully useful for most purposes. Linux is easier to secure than most, but it is an ongoing effort. As long as you have data worth protecting, you revisit threats, patches, network and host security, and evaluate vulnerabilities and risk regularly no matter WHAT OS you run. |
Quote:
Without knowing more of these kinds of details, it is difficult to give you specific advice about locking it down. Quote:
|
Thank you for the information. I suppose if I wanted to check for vulnerabilities myself that I could do the following:
Breakdown my software: Linux kernel (specific version) Other OS software Check CVE database for this software. Is the website https://www.cvedetails.com/ reliable for this process? In particular I noticed it lists "# of exploits" for each peice of software. Or, should I reference a different website? And then, be sure that I secure my network. Does that all sound correct? |
Why not rely on your distribution's update mechanism? They all have one, and that should be sufficient.
There are websites like this one, which will show you how your machine looks from the outside: https://www.grc.com/shieldsup |
Quote:
Also, relying on white hat developers to find vulnerabilities vs a black hat entity who doesn't share with the community their vulnerabilities seems risky. I guess all I can do is either stay updated with the Distro releases and updates and/or check the software for vulnerabilities myself. Advice? |
Quote:
|
Quote:
|
Lightning strikes, disc failures, fire, flooding, virus, malware... isn't the threat list endless?
And haven't the threats been around since... forever? My take - or advice? Bring it on, I say! :D The important stuff, data, is at hand in multiple copies and can fully restore from bare metal in 10 minutes... A trusted browser filters nasty stuff on the web, my mail-provider filters nasty mails, on Windows antivirus is running in the background... do you know of Lynis? or similar services? So... chill, breathe and backup. :rolleyes: |
All times are GMT -5. The time now is 11:02 AM. |