Difference between revisions of "SVG:SVG"

From EGIWiki
Jump to navigation Jump to search
 
(45 intermediate revisions by 2 users not shown)
Line 3: Line 3:
== The EGI Software Vulnerability Group (SVG) ==
== The EGI Software Vulnerability Group (SVG) ==


The purpose of the EGI Software Vulnerability Group is to eliminate existing vulnerabilities from the deployed infrastructure, primarily from the grid middleware, prevent the introduction of new ones and prevent security incidents
The purpose of the EGI Software Vulnerability Group is "To minimize the risk to the EGI infrastructure arising from software vulnerabilities“


The EGI SVG runs a process for handling software vulnerabilities reported. While our work is primarily designed to handle vulnerabilities in Grid Middleware, other vulnerabilities found in software used in the EGI infrastructure may also be reported to us and we pass the information on to the software suppliers, as well as considering the risk to the EGI infrastructure.  
This has been recently updated to say "To minimize the risk to all service providers, infrastructures, users and other parties which interact with the EOSC-hub, arising from vulnerabilities in software deployed on the constituents of the distributed infrastructure.  In essence, to minimize the risk of security incidents due to software vulnerabilities."


* [https://documents.egi.eu/document/108 Terms of Reference]
We provide some  information on [[SVG:Scope | SVGScope ]] in the EOSC era.


A poster is available summarising the work of SVG [[File:PosterSVG-2011.pdf | Poster ]]
The EGI SVG runs a procedure for handling software vulnerabilities reported which are relevant to the EGI infrastructure. 
This includes vulnerabilities announced by major providers, as well as software which is developed by collaborating projects and organisations used in the EGI infrastructure. 
 
[[SVG:Advisories | Advisories]] are issued by SVG as part of this process.
 
The EGI Operations Management Board (OMB) has formally approved the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ]
 
However, this procedure is at present undergoing major revision.  (Oct 2020)
 
* [https://documents.egi.eu/document/108 Terms of Reference] (Note that these are currently undergoing revision.)
 
== Intel and other processor speculative execution vulnerabilities (including Meltdown and Spectre) ==
 
Here SVG provides information that may be useful to various sites concerning the various
[[SVG:Speculative Execution Vulnerabilities | SVG Speculative execution vulnerabilities ]]
 
== Software for use on the EGI infrastructure ==
 
SVG cannot dictate what software is in use on the infrastructure, especially in the rapidly changing environment.  
 
If you are involved in selecting software for use in the EGI infrastructure, or developing software for use in the EGI infrastructure it is important that you take some of the responsibility for the security of that software.
 
To help, we have produced a [[SVG:Software Security Checklist | Software Security Checklist ]] of things that you should consider.
 
You may also be interested in joining the Deployment Expert Group. (DEG)


== What if you find a software vulnerability? ==
== What if you find a software vulnerability? ==
If it has not been announced publicly:--


'''DO NOT''' discuss on a mailing list - especially one with an open subscription policy or public archive
'''DO NOT''' discuss on a mailing list - especially one with an open subscription policy or public archive
Line 20: Line 46:


'''IMMEDIATELY Report it to report-vulnerability (at) egi.eu'''
'''IMMEDIATELY Report it to report-vulnerability (at) egi.eu'''
Vulnerabilities announced publicly may be reported to this address too, which may be serious either to EGI, EUDAT, or other services in the EOSC-hub catalogue. This ensure SVG is aware of them, and able to assess the impact.


See [[SVG:Reporters_View | Reporters View ]]
See [[SVG:Reporters_View | Reporters View ]]
Line 25: Line 53:
== Main Tasks of the EGI Software Vulnerability Group ==
== Main Tasks of the EGI Software Vulnerability Group ==


*Provide an efficient process to report, handle, and resolve software vulnerabilities found in middleware.
*Provide an efficient process to report, handle, and resolve software vulnerabilities in software used in the EGI infrastructure.


This is the largest activity of the EGI SVG.
This is the largest activity of the EGI SVG.
Line 31: Line 59:
*Provide consultation on software vulnerabilities to the CSIRT team and other EGI groups.
*Provide consultation on software vulnerabilities to the CSIRT team and other EGI groups.


*Collaborate with other partners to assess software provided in the EGI Unified Middleware Distribution and to look for vulnerabilities.
*Collaborate with other partners to identify vulnerabilities, and share information on vulnerabilities.


*Encourage developers to write secure code, thus reducing the likelihood of future problems, by education and awareness.
*Encourage developers to write secure code, thus reducing the likelihood of future problems, by education and awareness.
*Encourage all those involved in the selection and deployment of software to be aware of security, aware that software deployed should be under security maintenance and configured in a secure manner.


== Incidents ==
== Incidents ==


If a vulnerability has been exploited, it is an incident, and is NOT handled by the EGI Software Vulnerability Group.  You should then follow the  
If a vulnerability has been exploited, it is an incident, and is NOT handled by the EGI Software Vulnerability Group.   
* [https://documents.egi.eu/document/710 EGI CSIRT incident Handling procedure] 
 
You should then follow the EGI CSIRT Incident Handling Procedure
* https://wiki.egi.eu/wiki/SEC01
 
Also see the [[EGI_CSIRT:Incident_reporting | EGI CSIRT Incident Reporting Wiki ]]
Also see the [[EGI_CSIRT:Incident_reporting | EGI CSIRT Incident Reporting Wiki ]]
Several people are in both the EGI Incident Response Task Force as well as the Software Vulnerability group, so sending to either will probably get forwarded fairly quickly to the right people.


== The Software Vulnerability Issue Handling process ==
== The Software Vulnerability Issue Handling process ==


The EGI Software Vulnerability [[SVG:Issue Handling Summary |  issue handling  summary]] contains a brief summary of the issue handling process, and links to further information.
The EGI Software Vulnerability [[SVG:Issue Handling Summary |  issue handling  summary]] contains a brief summary of the issue handling process, and links to further information.
*[https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ]


The Issue handling process document which as been approved by the project executive board as part of the EGI milestone MS405.
This has been updated and updates approved by the Operations Management Board in December 2015, further updated and updates approved by the OMB in November 2017.
*[https://documents.egi.eu/document/717 EGI Software Vulnerability Issue Handling Process ]


This has been updated and updates approved in October 2011
This is undergoing revision at time of writing, to cope with the increased inhomogeneity of the infrastructure.


== Other activities ==
== Other activities ==


[[SVG:Vulnerability Assessment | Vulnerability Assessment]] is the proactive examination of software in order to find vulnerabilities that may exist.
[[SVG:Vulnerability Assessment | Vulnerability Assessment]] is the proactive examination of software in order to find vulnerabilities that may exist. At present there is no funding to carry out this activity.  


The SVG also encourages developers to write Secure Code [[SVG:Secure Coding | Secure Coding ]]
The SVG also encourages developers to write Secure Code [[SVG:Secure Coding | Secure Coding ]]
A poster is available summarising the work of SVG  [[File:PosterSVG-2011.pdf | Poster ]] (This is a little old, and rather focussed on Grid Middleware)

Latest revision as of 22:52, 17 March 2021

Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

SVG


The EGI Software Vulnerability Group (SVG)

The purpose of the EGI Software Vulnerability Group is "To minimize the risk to the EGI infrastructure arising from software vulnerabilities“

This has been recently updated to say "To minimize the risk to all service providers, infrastructures, users and other parties which interact with the EOSC-hub, arising from vulnerabilities in software deployed on the constituents of the distributed infrastructure. In essence, to minimize the risk of security incidents due to software vulnerabilities."

We provide some information on SVGScope in the EOSC era.

The EGI SVG runs a procedure for handling software vulnerabilities reported which are relevant to the EGI infrastructure. This includes vulnerabilities announced by major providers, as well as software which is developed by collaborating projects and organisations used in the EGI infrastructure.

Advisories are issued by SVG as part of this process.

The EGI Operations Management Board (OMB) has formally approved the EGI Software Vulnerability Issue Handling Process

However, this procedure is at present undergoing major revision. (Oct 2020)

Intel and other processor speculative execution vulnerabilities (including Meltdown and Spectre)

Here SVG provides information that may be useful to various sites concerning the various SVG Speculative execution vulnerabilities

Software for use on the EGI infrastructure

SVG cannot dictate what software is in use on the infrastructure, especially in the rapidly changing environment.

If you are involved in selecting software for use in the EGI infrastructure, or developing software for use in the EGI infrastructure it is important that you take some of the responsibility for the security of that software.

To help, we have produced a Software Security Checklist of things that you should consider.

You may also be interested in joining the Deployment Expert Group. (DEG)

What if you find a software vulnerability?

If it has not been announced publicly:--

DO NOT discuss on a mailing list - especially one with an open subscription policy or public archive

DO NOT post information on a web page

DO NOT publicise in any way - e.g. to the media

IMMEDIATELY Report it to report-vulnerability (at) egi.eu

Vulnerabilities announced publicly may be reported to this address too, which may be serious either to EGI, EUDAT, or other services in the EOSC-hub catalogue. This ensure SVG is aware of them, and able to assess the impact.

See Reporters View

Main Tasks of the EGI Software Vulnerability Group

  • Provide an efficient process to report, handle, and resolve software vulnerabilities in software used in the EGI infrastructure.

This is the largest activity of the EGI SVG.

  • Provide consultation on software vulnerabilities to the CSIRT team and other EGI groups.
  • Collaborate with other partners to identify vulnerabilities, and share information on vulnerabilities.
  • Encourage developers to write secure code, thus reducing the likelihood of future problems, by education and awareness.
  • Encourage all those involved in the selection and deployment of software to be aware of security, aware that software deployed should be under security maintenance and configured in a secure manner.

Incidents

If a vulnerability has been exploited, it is an incident, and is NOT handled by the EGI Software Vulnerability Group.

You should then follow the EGI CSIRT Incident Handling Procedure

Also see the EGI CSIRT Incident Reporting Wiki

Several people are in both the EGI Incident Response Task Force as well as the Software Vulnerability group, so sending to either will probably get forwarded fairly quickly to the right people.

The Software Vulnerability Issue Handling process

The EGI Software Vulnerability issue handling summary contains a brief summary of the issue handling process, and links to further information.

This has been updated and updates approved by the Operations Management Board in December 2015, further updated and updates approved by the OMB in November 2017.

This is undergoing revision at time of writing, to cope with the increased inhomogeneity of the infrastructure.

Other activities

Vulnerability Assessment is the proactive examination of software in order to find vulnerabilities that may exist. At present there is no funding to carry out this activity.

The SVG also encourages developers to write Secure Code Secure Coding

A poster is available summarising the work of SVG File:PosterSVG-2011.pdf (This is a little old, and rather focussed on Grid Middleware)