80 likes | 92 Vues
Learn about EGI's plans for 2012 regarding handling vulnerabilities, updates, assessments, and procedures. Stay informed and ensure software security.
E N D
EGI Software Vulnerability Group (SVG) Plans for 2012 Dr Linda Cornwall, STFC EGI OMB 24th January 2012
Issue handling 2011 • Handling of (potential) vulnerabilities reported • Vulnerability issue handling procedure updated https://documents.egi.eu/secure/ShowDocument?docid=717 • Vulnerability issue handling generally running smoothly • 33 potential issues reported during 2011 • 11 Advisories issued by SVG • Others – Low risk (6 fixed EMI-2), CSIRT handled, duplicates, invalid, not relevant to EGI • No problem with responses from SLA partners SVG – OMB Jan 2012- Linda Cornwall
Issue handling 2012 • Vulnerability issue handling will continue • Investigation of issues, risk assessments, advisories, co-ordination as necessary • Improving the procedure for the resolution of issues • Improve RT fields and searches • Tracking versions/ UMD dashboard • Better reporting, especially for metrics • The procedure will be updated as necessary around PM 27 SVG – OMB Jan 2012- Linda Cornwall
End of gLite 3.2 Security Updates • gLite 3.2 security updates end 30th April 2012 • Implies only new ‘High’ or ‘Critical’ risk vulnerabilities should be fixed in gLite 3.2 • ‘Moderate’ Target date 4 months • Sites need to think about moving away from gLite 3.2. SVG – OMB Jan 2012- Linda Cornwall
Vulnerability Assessment 2011 • Vulnerability Assessment Plan produced jointly between EGI and EMI https://documents.egi.eu/secure/ShowDocument?docid=563 • This is for detailed examination of software of EMI middleware used in EGI to look for problems • gLexec (re)assessed • Vulnerabilities found ‘Low’ Risk • Addressed in EMI-2 • (Previous assessment in 2010 found more serious problems) SVG – OMB Jan 2012- Linda Cornwall
Vulnerability Assessment (2) • ARGUS assessed • No vulnerabilities found • VOMS Core assessed (report just produced) • 1 ‘Low’ Risk vulnerability found • Next to be assessed is WMS, followed by CREAM • CREAM and WMS swapped, as CREAM undergoing partial re-write • Plan also to be updated SVG – OMB Jan 2012- Linda Cornwall
In case anyone needs reminding • If you find a vulnerability you must NOT • Discuss on a mailing list – especially one with an open subscription policy or which is archived publically • Post information on a web page • Publicise in any way without agreement of SVG • Report to SVG via report-vulnerability@egi.eu SVG – OMB Jan 2012- Linda Cornwall
Questions • ?? SVG – OMB Jan 2012- Linda Cornwall