Are patching services, or kernel developers, or pentesters reliably patching all bugs and vulnerabilities found with the current set of static and dynamic analysis tools that exist today? If they are not, then who is?

It seems like there should be someone or some entity that is capable of doing this.

Also, I know that not all bugs can be guaranteed to be found. I just thought using the tools available today that there would be someone or some website devoted to patching the kernel in this manner.

Does this all make sense or am I not looking at this problem correctly?

For the kernel and associated sub-systems, you can start here : https://en.wikipedia.org/wiki/Linux_kernel_mailing_list.

For other services etc that run on Linux, google the home site of each one...

There are thousands (if not millions) of developers actively involved in Linux security on a daily basis.

Consider this: The same Operating System kernel powers >70% of the world's smart phones (Android uses the Linux kernel), and all of the top 500 super computers.

Sources:

https://gs.statcounter.com/os-market...bile/worldwide
https://www.stackscale.com/blog/most...mputers-linux/

That doesn't happen without security.

1 members found this post helpful.

There are, in fact, several "white hat" international security monitoring services, such as CERT, who make it their daily business to gather and immediately publicly disclose(!) known security vulnerabilities and to coordinate the process of developing responses to them.

The principle is that there can never be "security by obscurity." Quite the opposite.

Every major operating system, for every platform "from mainframe to mobile," is constantly involved in this process. You should always immediately install every "security update" just as soon as it is published, or simply arrange for your computer(s), and phone(s), to do so automatically. "Time is of the essence."

But also remember: "Security is a process." The fundamental nature of computers, borne by their sheer complexity, is that "there will always be another hole," and always another person looking for it – regardless of the color of his "hat." And also: "The greatest security vulnerability is always located between two ears."

The developer who wrote a piece of code can fix the bugs in his code in a fraction of the time and effort than some other competent developer who has never seen the code in question before.

obviously there are errors, problems, security holes, lazy developers. So there will be always something to patch.
We always find and fix bugs and in the meantime we create new ones (and they are always different and probably harder to find).

Thank you for the informatio. Very informative!

Who is winning, black hat or white hat -- in terms of finding vulnerabilities and exploiting?

If security is a process, is there no quick fix to prevent my system from getting hacked?

Must I hire a security consultant or is this something I can do on my own?

How is it that important organizations are preventing exploitation? Are they relying on this idea that security is a process and simply updating their OS when there is a new security update?

How does one bridge the gap between time of discovery of a vulnerabily and patching it?

It is smart to secure your network as well as you can and still be fully functional, IT is smart to secure your NODES on that network, because nothing (including security plans) can ever be perfect. IT is smart to set up intrusion and malware detection in case someone bypasses all of your security, because that can happen. After all that it is not that it is perfect and you are bulletproof, it is that now literally EVERYONE else looks like an easier target!

No operating system is perfectly secure that is still fully useful for most purposes. Linux is easier to secure than most, but it is an ongoing effort. As long as you have data worth protecting, you revisit threats, patches, network and host security, and evaluate vulnerabilities and risk regularly no matter WHAT OS you run.

It depends upon what your system is, what it does and what you want from it. Is it a web server? Is it an email server? Is it a desktop system? Do you want it to be accessible from the open internet? How do you intend to use the machine it will be installed on?

Without knowing more of these kinds of details, it is difficult to give you specific advice about locking it down.
Keep your system updated. Most vulnerabilities in Linux and software that runs on it are patched quickly. Many of the things being patched these days would only make your system vulnerable within a narrow set of circumstances.

Thank you for the information. I suppose if I wanted to check for vulnerabilities myself that I could do the following:

Breakdown my software:
Linux kernel (specific version)
Other OS software

Check CVE database for this software. Is the website https://www.cvedetails.com/ reliable for this process? In particular I noticed it lists "# of exploits" for each peice of software.

Or, should I reference a different website?

And then, be sure that I secure my network.

Does that all sound correct?

Why not rely on your distribution's update mechanism? They all have one, and that should be sufficient.

There are websites like this one, which will show you how your machine looks from the outside: https://www.grc.com/shieldsup

2 members found this post helpful.

Well, my concern is that the time between a vulnerability being found and a patch to exist seems risky.

Also, relying on white hat developers to find vulnerabilities vs a black hat entity who doesn't share with the community their vulnerabilities seems risky.

I guess all I can do is either stay updated with the Distro releases and updates and/or check the software for vulnerabilities myself.

Advice?

Again, is this a home computer or a server? There are different methods for each.

Both

Lightning strikes, disc failures, fire, flooding, virus, malware... isn't the threat list endless?

And haven't the threats been around since... forever?


My take - or advice?

Bring it on, I say!

The important stuff, data, is at hand in multiple copies and can fully restore from bare metal in 10 minutes...

A trusted browser filters nasty stuff on the web, my mail-provider filters nasty mails, on Windows antivirus is running in the background... do you know of Lynis? or similar services?


So... chill, breathe and backup.

2 members found this post helpful.