The main purpose of the EGI Software Vulnerability Group can be summarized as "To minimize the risk of security incidents due to software vulnerabilities."
The EGI SVG and its predecessors have been active since 2006, helping sites and VOs avoid incidents due to software vulnerabilities across the distributed computing infrastructure in a consistent manner.
Initially the focus was on Grid computing and on software enabling Grid computing largely developed by our collaborators, but SVG has been handling a wider range of software which is used across the EGI infrastructure. Most of the work has been carried out by the SVG Risk Assessment Team (RAT), who assess the relevance of any reported vulnerability and the risk to the infrastructure. If a vulnerability has not been fixed yet, the RAT then asks the software provider to fix on a timescale according to the risk.
In recent years the EGI infrastructure has become much less homogenous, there has been a proliferation of software used, and it is no longer possible for the SVG RAT to be experts in all the software used and how it is set up. So we are having to evolve to cope just like the world is evolving.
This talk will describe the basic vulnerability handling procedure, and how the procedure is gradually being extended to deal with the less homogenous EGI infrastructure. This will include the concept of the "Deployment Expert Group" or "DEG", which consists of people who either run relevant services or are involved in the design or configuration of such services, to help handle vulnerabilities in this much less homogenous infrastructure. We will describe progress on evolving this procedure to date, and plans for the coming months and beyond. In particular, the DEG is open for more people to join and contribute to the continued security of EGI!
|Most suitable track||Delivering services and solutions|