80 likes | 85 Vues
EGI Software Vulnerability Group (SVG) Plans for 2012. Dr Linda Cornwall, STFC EGI OMB 24 th January 2012. Issue handling 2011. Handling of (potential) vulnerabilities reported Vulnerability issue handling procedure updated https://documents.egi.eu/secure/ShowDocument?docid=717
E N D
EGI Software Vulnerability Group (SVG) Plans for 2012 Dr Linda Cornwall, STFC EGI OMB 24th January 2012
Issue handling 2011 • Handling of (potential) vulnerabilities reported • Vulnerability issue handling procedure updated https://documents.egi.eu/secure/ShowDocument?docid=717 • Vulnerability issue handling generally running smoothly • 33 potential issues reported during 2011 • 11 Advisories issued by SVG • Others – Low risk (6 fixed EMI-2), CSIRT handled, duplicates, invalid, not relevant to EGI • No problem with responses from SLA partners SVG – OMB Jan 2012- Linda Cornwall
Issue handling 2012 • Vulnerability issue handling will continue • Investigation of issues, risk assessments, advisories, co-ordination as necessary • Improving the procedure for the resolution of issues • Improve RT fields and searches • Tracking versions/ UMD dashboard • Better reporting, especially for metrics • The procedure will be updated as necessary around PM 27 SVG – OMB Jan 2012- Linda Cornwall
End of gLite 3.2 Security Updates • gLite 3.2 security updates end 30th April 2012 • Implies only new ‘High’ or ‘Critical’ risk vulnerabilities should be fixed in gLite 3.2 • ‘Moderate’ Target date 4 months • Sites need to think about moving away from gLite 3.2. SVG – OMB Jan 2012- Linda Cornwall
Vulnerability Assessment 2011 • Vulnerability Assessment Plan produced jointly between EGI and EMI https://documents.egi.eu/secure/ShowDocument?docid=563 • This is for detailed examination of software of EMI middleware used in EGI to look for problems • gLexec (re)assessed • Vulnerabilities found ‘Low’ Risk • Addressed in EMI-2 • (Previous assessment in 2010 found more serious problems) SVG – OMB Jan 2012- Linda Cornwall
Vulnerability Assessment (2) • ARGUS assessed • No vulnerabilities found • VOMS Core assessed (report just produced) • 1 ‘Low’ Risk vulnerability found • Next to be assessed is WMS, followed by CREAM • CREAM and WMS swapped, as CREAM undergoing partial re-write • Plan also to be updated SVG – OMB Jan 2012- Linda Cornwall
In case anyone needs reminding • If you find a vulnerability you must NOT • Discuss on a mailing list – especially one with an open subscription policy or which is archived publically • Post information on a web page • Publicise in any way without agreement of SVG • Report to SVG via report-vulnerability@egi.eu SVG – OMB Jan 2012- Linda Cornwall
Questions • ?? SVG – OMB Jan 2012- Linda Cornwall