Speakers
Description of the work
Software Vulnerabilities may be reported by anyone to the EGI SVG by e-mail to report-vulnerability@egi.eu
Vulnerabilities reported are investigated jointly by the developers and the SVG Risk Assessment Team (RAT). If they are valid and applicable to EGI the RAT then carries out a risk assessment, and sets a target date for resolution according to the risk.
Vulnerabilities are also detected by the pro-active examination of code known as 'vulnerability assessment'.
Various pieces of Grid Middleware are assessed using first principles vulnerability assessment techniques jointly developed by the University of Wisconsin and the Universitat Autonoma de Barcelona. Various pieces of Grid Middleware are or have been assessed using these techniques and any vulnerabilities found are addressed.
Vulnerability prevention is also carried out through developer education (mainly in EMI) and through considering what new software is allowed onto the EGI infrastructure.
Wider impact of this work
The purpose of the EGI Software Vulnerability Group is to eliminate existing vulnerabilities from the deployed infrastructure, primarily from the grid middleware, prevent the introduction of new ones and prevent security incidents.
As far as we are aware, and at the time of writing, no incidents have occurred due to vulnerabilities in Grid Middleware which tends to indicate that our procedures for handling vulnerabilities are effective.
Printable Summary
This session will report on the work and progress of the EGI Software Vulnerability Group (SVG).
A summary of the process for handling software vulnerabilities reported (which may be reported by anyone) and the current status will be included.
A report on the current status of 'Vulnerability assessment', which is the pro-active examination of code for vulnerabilities will also be presented.
Link for further information
https://wiki.egi.eu/wiki/SVG