Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGI Software Vulnerability Group (SVG) report to CSIRT F2F

Published byShonda Ashlynn Gallagher Modified over 6 years ago

Similar presentations

Presentation on theme: "EGI Software Vulnerability Group (SVG) report to CSIRT F2F"— Presentation transcript:

1 EGI Software Vulnerability Group (SVG) report to CSIRT F2F
Dr Linda Cornwall, STFC/RAL. 24-25th April 2013 6/10/2018

2 Vulnerability Assessments Recent issue handling
Contents Vulnerability Assessments Recent issue handling Issue handling – post EMI/IGE What is not changing What is changing/uncertain CSIRT/SVG responsibilities 6/10/2018 Linda Cornwall

3 Vulnerability Assessments
WMS – almost complete Elisa Heymann reviewing the report CREAM in work 3 people working on it at present including 2 masters students 6/10/2018 Linda Cornwall

4 12 vulnerabilities this year so far
Recent issue handling 12 vulnerabilities this year so far Including 3 ‘High’ Last few weeks quite busy 13 ‘open’ – not the same ones Seem to mostly be between 10 and 15 ‘open’ issues Most do get fixed rather than hang around beyond TD 6/10/2018 Linda Cornwall

5 Current RAT members Linda Cornwall (STFC/RAL, UK) Eygene Ryabinkin(RRC-KI, Russia ) Stephen Burke(STFC/RAL, UK) Mischa Sallé (FOM) Krzysztof Benedyczak (UWAR, Poland) Åke Sandgren(HP2CN, Sweden) Vincenzo Ciaschini(INFN, Italy) Bernd Schuller (JUELICH, Germany) Simon Fayer(IMPERIAL, UK) David Smith(CERN) Sven Gabriel (FOM) Adam Smutnicki(Poland) John Green (STFC/RAL,UK) Steve Traylen(CERN) Oscar Koeroo (FOM) Anders Waananen (UCPH, Denmark) Daniel Kouril (CESNET, Czech Rep) Maarten Litmaath (CERN) Leif Nixon (LIU, Sweden)

6 As people know, EMI and IGE are coming to an end
End of EMI/IGE As people know, EMI and IGE are coming to an end Vulnerabilities will still need to be handled As will other software maintenance 6/10/2018 Linda Cornwall

7 Minimum needed for SVG to continue
Direct contact details for product teams Developers plus ‘responsible’ Product teams respond a.s.a.p. and participate in investigation Product teams and UMD people produce patch in time for Target Date RAT continues Co-ordination continues 6/10/2018 Linda Cornwall

8 EMI 3 will be supported by development teams for 1 year
Mostly the same individuals will be supporting the software Including fixing vulnerabilities Products will be in the UMD The TD will continue to be the date by which vulnerabilities should be fixed in the UMD 6/10/2018 Linda Cornwall

9 Middleware Development and Innovation Alliance (MeDIA) is being formed
EMI => MeDIA Middleware Development and Innovation Alliance (MeDIA) is being formed This will co-ordinate the development and support of Middleware enabling the sharing of distributed resources Discussion between EGI UMD and EMI during the CF MeDIA first meeting on 22nd April Things may soon be clearer 6/10/2018 Linda Cornwall

10 IGE => EGCF Globus in Europe will be coordinated by the European Globus Community Forum (EGCF) Details for how we contact appropriate people still require some clarification 6/10/2018 Linda Cornwall

11 Proliferation of software
Proliferation of middleware will probably mean that Product Teams will need to be more active in investigation RAT members can’t know everything Multitude of platforms and versions means we need better version tracking Need to ensure versions all fixed at once Looking into using OVAL Will discuss when further progress on how things work 6/10/2018 Linda Cornwall

12 Some details of the procedure changing
In Principle Nothing is changing General Procedure remains the same Some details of the procedure changing E.g. for ‘High’ risk issues advisory only to sites initially and make public 2 weeks later Details of how we contact people/how the procedure is carried out is changing Details not fully defined yet 6/10/2018 Linda Cornwall

13 In EGI SLAs defined response times
Some concerns In EGI SLAs defined response times Likely to not be SLAs with product teams In past either same project or SLA How reliable will response be? Not just a problem for vulnerabilities, but any serious software problem 6/10/2018 Linda Cornwall

14 Types of software Software Source
S/W provider aware/announced vulnerability S/W provider not clearly aware of vulnerability Risk Assessment Other comment Grid Middleware in EGI UMD Problem fully handled according to procedure in this document by SVG SVG Operational Tools developed by the EGI InSPIRE project Problem fully handled according to the procedure in this document by SVG, except distribution of tools not in UMD Software problem or general vulnerability type which may affect middleware Software development/maintenance teams contacted and asked to check whether their software is affected and the impact If problem found, handled according to this procedure Linux Operating system software on which the EGI infrastructure is based CSIRT/SVG investigate relevance to EGI Inform software provider SVG/CSIRT jointly Usually CSIRT member will contact provider if necessary EPEL software (Extra Packages for Linux Enterprise) CSIRT/SVG investigate relevance to EGI SVG or CSIRT member will contact provider if necessary depending on knowledge Other Software installed on the EGI Infrastructure Software not installed on the EGI infrastructure Do nothing None Only action is to forward information.

15 I would like to discuss this
SVG/CSIRT boundary I would like to discuss this Normally ‘Middleware’ seen as ‘SVG’ other software ‘CSIRT’ Although often I’ve drafted advisories for non-middleware And sometimes a non-middleware vulnerability affects middleware Up to now, added EGI CSIRT Team to non-middleware But often no interest in Risk Assessment non MW 6/10/2018 Linda Cornwall

16 One possibility - RAT only responsible for MW, CSIRT assessing non MW
How to improve One possibility - RAT only responsible for MW, CSIRT assessing non MW Other possibility – all vulnerabilities (Middleware or not) entered in tracker Duty team also sees all vulnerabilities Or Duty team members added to RAT – and RAT expanded to cover non-middleware Sven once suggested this. Don’t expect to resolve today 6/10/2018 Linda Cornwall

17 Whether this be Clouds, or whatever the future holds
Changing Technology EGI SVG will need to replace ‘Grid Middleware’ with ‘Middleware associated with the sharing of Distributed Rescores’ Whether this be Clouds, or whatever the future holds A lot for SVG to think about 6/10/2018 Linda Cornwall

18 What do you do if you find a vulnerability?
DO NOT Discuss on a mailing list – especially one with an open subscription policy or which is archived publically Post information on a web page Publicise in any way without agreement of SVG DO report to SVG via This does not change 6/10/2018 Linda Cornwall

19 Questions? ?? 6/10/2018 Linda Cornwall

20 6/10/2018 Linda Cornwall

Download ppt "EGI Software Vulnerability Group (SVG) report to CSIRT F2F"

Similar presentations

INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.

EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks From ROCs to NGIs The pole1 and pole 2 people.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks From ROCs to NGIs The pole1 and pole 2 people.
PCR Status report AESAG, September 5 2012 Supported by:

PCR Status report AESAG, September Supported by:
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 Future support of EGI services Tiziana Ferrari/EGI.eu Future support of EGI.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Future support of EGI services Tiziana Ferrari/EGI.eu Future support of EGI.
EMI SA2: Quality Assurance (EMI-SA2 Work Package) Alberto Aimar (CERN) WP Leader.

EMI SA2: Quality Assurance (EMI-SA2 Work Package) Alberto Aimar (CERN) WP Leader.
The Grid Services Security Vulnerability and Risk Assessment Activity in EGEE-II Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688

The Grid Services Security Vulnerability and Risk Assessment Activity in EGEE-II Enabling Grids for E-sciencE EGEE-II INFSO-RI
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.
EMI is partially funded by the European Commission under Grant Agreement RI-261611 Post EMI Plans and MeDIA Alberto DI MEGLIO, CERN Project Director WLCG.

EMI is partially funded by the European Commission under Grant Agreement RI Post EMI Plans and MeDIA Alberto DI MEGLIO, CERN Project Director WLCG.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks The Grid Security Vulnerability Group Dr.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The Grid Security Vulnerability Group Dr.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Grid Security Vulnerability Handling and.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid Security Vulnerability Handling and.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks GSVG issues handling Dr Linda Cornwall CCLRC.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSVG issues handling Dr Linda Cornwall CCLRC.
Update on the Grid Security Vulnerability Group Linda Cornwall, MWSG7, Amsterdam 14 th December 2005

Update on the Grid Security Vulnerability Group Linda Cornwall, MWSG7, Amsterdam 14 th December 2005
Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006

Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006

Similar presentations

Ads by Google