Speaker
Description
The purpose of the EGI Software Vulnerability Group (SVG) is “To minimise the risk of security incidents due to software vulnerabilities.”
The EGI SVG and its predecessors have been dealing with software vulnerabilities for about 15 years. Initially, the group was set up to address the lack of vulnerability management in Grid Middleware, and its tasks included fixing security issues and ensuring that all sites in the relatively uniform EGI environment addressed the most serious vulnerabilities.
Now, things are different: the inhomogeneity has increased within the infrastructure, there is a greater proliferation of software installed, and the majority of software vulnerabilities affecting EGI infrastructure are announced by software vendors. This means that the methods for dealing with software vulnerabilities have been changing and need further change.
One extreme is to say that service providers are wholly responsible for ensuring their software is up to date, which to the first order is true. Rather like people's mobile phones, we just assume that sites update themselves.
But EGI can do better than that.
EGI helps sites become aware of and address serious vulnerabilities that are within the scope of the EGI portfolio of distributed computing services, so that all parties concerned have confidence in the security of the infrastructure. Vulnerabilities may be reported by EGI participants or become known through third party reports. Analysis of the impact of a vulnerability within EGI may lead to its risk level being elevated or reduced compared to conclusions applicable elsewhere.
This short talk will briefly describe the evolving software vulnerability management for EGI.
| Topic | Security, Trust & Identity |
|---|
