Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:Deployment Expert Group"

From EGIWiki
Jump to navigation Jump to search
Line 5: Line 5:
The aim is to keep the high standard of handling software vulnerabilities which we have established over more than a decade in the ever increasingly inhomogeneous infrastructure.
The aim is to keep the high standard of handling software vulnerabilities which we have established over more than a decade in the ever increasingly inhomogeneous infrastructure.


This is updated after discussion at the SVG meeting on 26th February 2020, further edited after discussion at SVG meeting on 15th July 2020.
We will try and keep the role and responsibilities of the DEG as simple and straightforward as possible, we see the following as the main tasks:--
We will try and keep the role and responsibilities of the DEG as simple and straightforward as possible, we see the following as the main tasks:--


Line 11: Line 12:
It is important that DEG members are alert to software vulnerabilities announced by the providers of software they deploy, and report via report-vulnerability@egi.eu any they consider serious and relevant to EGI.
It is important that DEG members are alert to software vulnerabilities announced by the providers of software they deploy, and report via report-vulnerability@egi.eu any they consider serious and relevant to EGI.
In addition, vulnerabilities DEG members discover themselves should also be reported via report-vulnerability@egi.eu.  
In addition, vulnerabilities DEG members discover themselves should also be reported via report-vulnerability@egi.eu.  
Members may of course also report them to the software provider, and are encouraged to do so, if able to do so without exposing the vulnerability publicly. Alternatively, SVG will be happy to handle that.  
Members may of course also report them to the software provider, if able to do so without exposing the vulnerability publicly. Alternatively, SVG will be happy to handle that for you.


==Respond when asked if an issue is 'In Scope'==
==Respond when asked if an issue is 'In Scope'==

Revision as of 17:29, 17 August 2020

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Deployment Expert Group


The Deployment Expert Group are people who volunteer to help the EGI SVG deal with vulnerabilities where they have appropriate expertise.

The aim is to keep the high standard of handling software vulnerabilities which we have established over more than a decade in the ever increasingly inhomogeneous infrastructure.

This is updated after discussion at the SVG meeting on 26th February 2020, further edited after discussion at SVG meeting on 15th July 2020. We will try and keep the role and responsibilities of the DEG as simple and straightforward as possible, we see the following as the main tasks:--

Look out for and report vulnerabilities in software you use

It is important that DEG members are alert to software vulnerabilities announced by the providers of software they deploy, and report via report-vulnerability@egi.eu any they consider serious and relevant to EGI. In addition, vulnerabilities DEG members discover themselves should also be reported via report-vulnerability@egi.eu. Members may of course also report them to the software provider, if able to do so without exposing the vulnerability publicly. Alternatively, SVG will be happy to handle that for you.

Respond when asked if an issue is 'In Scope'

Sometimes when a vulnerability is reported, SVG-RAT members are not aware of whether the software is used. Please respond to this question, particularly if you use the software. No response stating the issue is in scope is likely to imply that the issue is considered Out of Scope, even if the software is used.

Scope depends on participation.

Volunteer for the iRAT if you have expertise

If an issue is considered to be 'In Scope', we will ask for volunteers to join the issue specific RAT, or iRAT. This is probably the most important function of the DEG, to find the appropriate members of the iRAT for a particular issue. Investigating the impact of vulnerabilities depends on getting appropriate members of the iRAT to look at the issue and its effect according to how software is deployed.

Also Note

Anyone can report a vulnerability, they do not have to be a member of SVG or the DEG.

Anyone deploying services should consider good practice when selecting and configuring software. SVG has produced a simple software security checklist to try and avoid some of the common problems we have found in the past: SVG:Software_Security_Checklist in EGI Wiki.