1 / 8

EGI Software Vulnerability Group (SVG) Plans for 2012

Learn about EGI's plans for 2012 regarding handling vulnerabilities, updates, assessments, and procedures. Stay informed and ensure software security.

pwyatt
Télécharger la présentation

EGI Software Vulnerability Group (SVG) Plans for 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EGI Software Vulnerability Group (SVG) Plans for 2012 Dr Linda Cornwall, STFC EGI OMB 24th January 2012

  2. Issue handling 2011 • Handling of (potential) vulnerabilities reported • Vulnerability issue handling procedure updated https://documents.egi.eu/secure/ShowDocument?docid=717 • Vulnerability issue handling generally running smoothly • 33 potential issues reported during 2011 • 11 Advisories issued by SVG • Others – Low risk (6 fixed EMI-2), CSIRT handled, duplicates, invalid, not relevant to EGI • No problem with responses from SLA partners SVG – OMB Jan 2012- Linda Cornwall

  3. Issue handling 2012 • Vulnerability issue handling will continue • Investigation of issues, risk assessments, advisories, co-ordination as necessary • Improving the procedure for the resolution of issues • Improve RT fields and searches • Tracking versions/ UMD dashboard • Better reporting, especially for metrics • The procedure will be updated as necessary around PM 27 SVG – OMB Jan 2012- Linda Cornwall

  4. End of gLite 3.2 Security Updates • gLite 3.2 security updates end 30th April 2012 • Implies only new ‘High’ or ‘Critical’ risk vulnerabilities should be fixed in gLite 3.2 • ‘Moderate’ Target date 4 months • Sites need to think about moving away from gLite 3.2. SVG – OMB Jan 2012- Linda Cornwall

  5. Vulnerability Assessment 2011 • Vulnerability Assessment Plan produced jointly between EGI and EMI https://documents.egi.eu/secure/ShowDocument?docid=563 • This is for detailed examination of software of EMI middleware used in EGI to look for problems • gLexec (re)assessed • Vulnerabilities found ‘Low’ Risk • Addressed in EMI-2 • (Previous assessment in 2010 found more serious problems) SVG – OMB Jan 2012- Linda Cornwall

  6. Vulnerability Assessment (2) • ARGUS assessed • No vulnerabilities found • VOMS Core assessed (report just produced) • 1 ‘Low’ Risk vulnerability found • Next to be assessed is WMS, followed by CREAM • CREAM and WMS swapped, as CREAM undergoing partial re-write • Plan also to be updated SVG – OMB Jan 2012- Linda Cornwall

  7. In case anyone needs reminding • If you find a vulnerability you must NOT • Discuss on a mailing list – especially one with an open subscription policy or which is archived publically • Post information on a web page • Publicise in any way without agreement of SVG • Report to SVG via report-vulnerability@egi.eu SVG – OMB Jan 2012- Linda Cornwall

  8. Questions • ?? SVG – OMB Jan 2012- Linda Cornwall

More Related