Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "QosCosGrid Initial Security assessment"

From EGIWiki
Jump to navigation Jump to search
Line 1: Line 1:
This wiki page documents the progress of the QCG initial security assessment, from first contact to conclusion on whether to proceed or not.
This wiki page documents the progress of the QCG initial security assessment, from first contact to conclusion on whether to proceed or not.


The final security assessment of the QCG 2.6.1 is available [QCG-2.6.1_final_security_audit_results.pdf here].
The final security assessment of the QCG 2.6.1 is available [[Media:QCG-2.6.1_final_security_audit_results.pdf|here]].


1) A number of security flaws were found. I would be interested in:
This has sparked the following questions:
- Which specific vulnerabilities were found?
- Out of those, which ones were fixed?
- Which ones were not fixed in QCG2.6.1?
The report does not explicitly state whether there are remaining open
vulnerabilities


2) Certain methodologies were employed with a specific set of tools.
# A number of security flaws were found. I would be interested in:
- Is it possible to provide details and results of specific tests?
## Which specific vulnerabilities were found?
Perhaps to a limited distribution list (initially, once QCG would be
## Out of those, which ones were fixed?
provisioned, then full disclosure would have to be provided within a
## Which ones were not fixed in QCG2.6.1?
well-defined distribution list)
# The report does not explicitly state whether there are remaining open vulnerabilities
 
# Certain methodologies were employed with a specific set of tools.
3) Have there been dedicated tests around components that require root
# Is it possible to provide details and results of specific tests?
privileges while running?
## Perhaps to a limited distribution list (initially, once QCG would be provisioned, then full disclosure would have to be provided within a well-defined distribution list)
Perhaps these were implicitly covered by the actual tests done; perhaps
# Have there been dedicated tests around components that require root privileges while running?
Mingchao can chime in here.
## Perhaps these were implicitly covered by the actual tests done; perhaps

Revision as of 15:04, 1 June 2012

This wiki page documents the progress of the QCG initial security assessment, from first contact to conclusion on whether to proceed or not.

The final security assessment of the QCG 2.6.1 is available here.

This has sparked the following questions:

  1. A number of security flaws were found. I would be interested in:
    1. Which specific vulnerabilities were found?
    2. Out of those, which ones were fixed?
    3. Which ones were not fixed in QCG2.6.1?
  2. The report does not explicitly state whether there are remaining open vulnerabilities
  3. Certain methodologies were employed with a specific set of tools.
  4. Is it possible to provide details and results of specific tests?
    1. Perhaps to a limited distribution list (initially, once QCG would be provisioned, then full disclosure would have to be provided within a well-defined distribution list)
  5. Have there been dedicated tests around components that require root privileges while running?
    1. Perhaps these were implicitly covered by the actual tests done; perhaps
Retrieved from "https://wiki.egi.eu/w/index.php?title=QosCosGrid_Initial_Security_assessment&oldid=37260"