Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Vulnerability Group Status update

Published byChristine Croteau Modified over 5 years ago

Similar presentations

Presentation on theme: "Software Vulnerability Group Status update"— Presentation transcript:

1 Software Vulnerability Group Status update
Linda Cornwall, STFC CSIRT F2F 17-19th Jan 2017 – Prague.

2 Reminders…. Purpose of SVG "To minimize the risk to the EGI infrastructure arising from software vulnerabilities“ Wiki at Checklist for selecting/writing software Do we want to publicise this further? Or update? Main activity continues to be handling software vulnerabilities reported Advisories sent to sites and placed on the wiki

3 Issue handling Reminder
Anyone may report an issue by to If it has not been announced, SVG contacts the software provider and the software provider investigates (with SVG member, reporter, others) The relevance and effect in EGI are determined If relevant to EGI the risk in the EGI environment is assessed, and put in 1 of 4 categories – ‘Critical’, ‘High’, ‘Moderate’ or ‘Low’ If it has not been fixed, Target Date (TD) for resolution is set - ‘High’ 6 weeks, ‘Moderate’ 4 months, ‘Low’ 1 year

4 Advisories issued:-- Advisory is issued by SVG
When the vulnerability is fixed if EGI SVG is the main handler of vulnerabilities for this software, or software is in an EGI Repository regardless of the risk. If the issue is ‘Critical’ or ‘High’ in the EGI infrastructure If we think there is a good reason to issue an advisory to the sites. Advisory is ‘Amber’ if:-- ‘High’ or ‘critical’ risk and information is not public There is some other reason to be Amber Usually ‘White’ after 2 weeks assuming it is fixed Otherwise usually white.

5 Numbers since start of 2016 (as of 12th January 2017)
41 reported issues in 2016 (4 already this year) 5 glite, 2 dCache, 6 kernel, 6 OS general, 6 Cloud enabling Risk – 6 ‘Critical’, 9 ‘High’, 10 ‘Moderate’ 26 advisories issued publicly 2016 table. (+ 2 this year already.) Since last CSIRT F2F meeting - 15 reported. At present 8 open tickets

6 Advisory Template Further minor revisions to the advisory template
Most recently added the Context section Stating that the risk is in the context of the EGI infrastructure People may re-use if credit SVG. Also added some ‘skeleton’ references See Suggestions for further improvements welcome.

7 Some other issues – deviation from procedure
Ask sites to check – no risk assessment E.g. OpenStack Nova Metadata information leak Some vulnerabilities it’s enough for Enol/other Fed Cloud people to update in AppDB E.g. Docker escape vulnerability CVE No advisory needed Possibly this is another part of the procedure.

8 Cloud Middleware Distribution CMD V1 now available
This contains cloud enabling software on top of OpenStack Mitaka At present contains - Keystone-VOMS 9.0.3 - ooi 0.3.2 - gridsite 2.3.3 Cloud BDII Information provider Openstack itself obtained from elsewhere (rather like OS) This will allow sites to easily install tools needed, AND SVG can handle in the same way as the UMD.

9 Other Cloud related VM Operator role got discussed again at FedCloud F2F at the end of November Some still not keen. I thought I’d won this battle in June 2016

10 Mailing lists related to Fed Cloud (Vincent)
For the Critical Vulnerability handling & VA de-endorsement procedure, I think that we would need mailing lists for: VA owners + VA endorsers (Advisory) VM Operator (Advisory + de-endorsement notifications) For de-endorsement notification, it would be better to only notify people using it, but I don't think this is currently possible. But we do have VO security contacts via ops portal

11 Other Notes on Risk – needs updating – no progress yet

12

Download ppt "Software Vulnerability Group Status update"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,
The GridPP Wiki https://www.gridpp.ac.uk/wiki/Main_Page The case in favour of it Generic, standard information (e.g. GridPP Approved VOs) Common use cases.

The GridPP Wiki The case in favour of it Generic, standard information (e.g. GridPP Approved VOs) Common use cases.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.

EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks From ROCs to NGIs The pole1 and pole 2 people.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks From ROCs to NGIs The pole1 and pole 2 people.
OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
The HEPiX IPv6 Working Group David Kelsey EGI TF, Prague 18 Sep 2012.

The HEPiX IPv6 Working Group David Kelsey EGI TF, Prague 18 Sep 2012.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks GSVG issues handling Dr Linda Cornwall CCLRC.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSVG issues handling Dr Linda Cornwall CCLRC.
Update on the Grid Security Vulnerability Group Linda Cornwall, MWSG7, Amsterdam 14 th December 2005

Update on the Grid Security Vulnerability Group Linda Cornwall, MWSG7, Amsterdam 14 th December 2005
Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006

Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
The Grid Security Vulnerability Group (GSVG) Enabling Grids for E-sciencE EGEE-III INFSO-RI-222667 Eliminating and Preventing.

The Grid Security Vulnerability Group (GSVG) Enabling Grids for E-sciencE EGEE-III INFSO-RI Eliminating and Preventing.
Security Vulnerability Identification and Reduction Linda Cornwal, JRA1, Brno 20 th June 2005

Security Vulnerability Identification and Reduction Linda Cornwal, JRA1, Brno 20 th June 2005

Similar presentations

Ads by Google