17-21 September 2012
Clarion Conference Centre
Europe/Prague timezone

The EGI Software Vulnerability Group (SVG) - Introduction

21 Sep 2012, 11:00
5m
Zenit (Clarion Conference Centre)

Zenit

Clarion Conference Centre

Internal Project Meeting EGI Operations (Tiziana Ferrari: track leader) Operations

Speakers

Elisa Heymann (UAB) Linda Cornwall (STFC)

Description of the work

Software Vulnerabilities may be reported by anyone to the EGI SVG by e-mail to report-vulnerability@egi.eu
Vulnerabilities reported are investigated jointly by the developers and the SVG Risk Assessment Team (RAT). If they are valid and applicable to EGI the RAT then carries out a risk assessment, and sets a target date for resolution according to the risk.

Vulnerabilities are also detected by the pro-active examination of code known as 'vulnerability assessment'.
Various pieces of Grid Middleware are assessed using first principles vulnerability assessment techniques jointly developed by the University of Wisconsin and the Universitat Autonoma de Barcelona. Various pieces of Grid Middleware are or have been assessed using these techniques and any vulnerabilities found are addressed.

Vulnerability prevention is also carried out through developer education (mainly in EMI) and through considering what new software is allowed onto the EGI infrastructure.

Link for further information

https://wiki.egi.eu/wiki/SVG

Wider impact of this work

The purpose of the EGI Software Vulnerability Group is to eliminate existing vulnerabilities from the deployed infrastructure, primarily from the grid middleware, prevent the introduction of new ones and prevent security incidents.

As far as we are aware, and at the time of writing, no incidents have occurred due to vulnerabilities in Grid Middleware which tends to indicate that our procedures for handling vulnerabilities are effective.

Printable Summary

This session will report on the work and progress of the EGI Software Vulnerability Group (SVG).

A summary of the process for handling software vulnerabilities reported (which may be reported by anyone) and the current status will be included.

A report on the current status of 'Vulnerability assessment', which is the pro-active examination of code for vulnerabilities will also be presented.

Primary authors

Presentation Materials

There are no materials yet.

Subcontributions