Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "SVG:SVG"

From EGIWiki
Jump to navigation Jump to search
(Deprecate and redirect page)
Tag: Replaced
 
(15 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{svg-header}}
{{DeprecatedAndMovedTo|new_location=https://confluence.egi.eu/display/EGIBG/SVG}}
 
== The EGI Software Vulnerability Group (SVG) ==
 
The purpose of the EGI Software Vulnerability Group is "To minimize the risk to the EGI infrastructure arising from software vulnerabilities“
 
The EGI SVG runs a procedure for handling software vulnerabilities reported which are relevant to the EGI infrastructure. 
This includes vulnerabilities announced by major providers, as well as software which is developed by collaborating projects and organisations used in the EGI infrastructure. 
 
[[SVG:Advisories | Advisories]] are issued by SVG as part of this process.
 
The EGI Operations Management Board (OMB) has formally approved the [https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ]
 
* [https://documents.egi.eu/document/108 Terms of Reference] (Note that these are currently undergoing revision.)
 
== More on processor vulnerabilities  ==
 
This provides more information on Processor vulnerabilities (Not written yet)
 
[[SVG:L1TF  | EGI SVG L1TF and others ]]
 
== Meltdown and Spectre variant 4  ==
 
This provides links to infomation on the 4th variant of the Meltdown/Spectre CPU hole announced in May 2018 which may be useful to sites
 
[[SVG:Spectre 4th Variant | EGI SVG Information on 4th Variant]]
 
== Meltdown and Spectre Vulnerabilities ==
 
 
 
This provides info on the Meltdown and Spectre vulnerabilities made public in January 2018.
 
SVG compiled links to information which may be useful to EGI sites.
 
[[SVG:Meltdown and Spectre Vulnerabilities | EGI SVG Information on Meltdown and Spectre Vulnerabilities]]
 
== Software for use on the EGI infrastructure ==
 
SVG cannot dictate what software is in use on the infrastructure, especially in the rapidly changing environment.
 
If you are involved in selecting software for use in the EGI infrastructure, or developing software for use in the EGI infrastructure it is important that you take some of the responsibility for the security of that software.
 
To help, we have produced a [[SVG:Software Security Checklist | Software Security Checklist ]] of things that you should consider.
 
== What if you find a software vulnerability? ==
 
If it has not been announced publicly:--
 
'''DO NOT''' discuss on a mailing list - especially one with an open subscription policy or public archive
 
'''DO NOT''' post information on a web page
 
'''DO NOT''' publicise in any way - e.g. to the media
 
'''IMMEDIATELY Report it to report-vulnerability (at) egi.eu'''
 
Vulnerabilities announced publicly may be reported to this address too, to ensure SVG is aware of them.
 
See [[SVG:Reporters_View | Reporters View ]]
 
== Main Tasks of the EGI Software Vulnerability Group ==
 
*Provide an efficient process to report, handle, and resolve software vulnerabilities in software used in the EGI infrastructure.
 
This is the largest activity of the EGI SVG.
 
*Provide consultation on software vulnerabilities to the CSIRT team and other EGI groups.
 
*Collaborate with other partners to identify vulnerabilities, and share information on vulnerabilities.
 
*Encourage developers to write secure code, thus reducing the likelihood of future problems, by education and awareness.
 
*Encourage all those involved in the selection and deployment of software to be aware of security, aware that software deployed should be under security maintenance and configured in a secure manner.
 
== Incidents ==
 
If a vulnerability has been exploited, it is an incident, and is NOT handled by the EGI Software Vulnerability Group. 
 
You should then follow the EGI CSIRT Incident Handling Procedure
* https://wiki.egi.eu/wiki/SEC01
 
Also see the [[EGI_CSIRT:Incident_reporting | EGI CSIRT Incident Reporting Wiki ]]
 
Several people are in both the EGI Incident Response Task Force as well as the Software Vulnerability group, so sending to either will probably get forwarded fairly quickly to the right people.
 
== The Software Vulnerability Issue Handling process ==
 
The EGI Software Vulnerability [[SVG:Issue Handling Summary |  issue handling  summary]] contains a brief summary of the issue handling process, and links to further information.
*[https://documents.egi.eu/document/3145 EGI Software Vulnerability Issue Handling Process ]
 
This has been updated and updates approved by the Operations Management Board in December 2015, further updated and updates approved by the OMB in November 2017.
 
== Other activities ==
 
[[SVG:Vulnerability Assessment | Vulnerability Assessment]] is the proactive examination of software in order to find vulnerabilities that may exist. At present there is no funding to carry out this activity.
 
The SVG also encourages developers to write Secure Code [[SVG:Secure Coding | Secure Coding ]]
 
A poster is available summarising the work of SVG  [[File:PosterSVG-2011.pdf | Poster ]] (This is a little old, and rather focussed on Grid Middleware)

Latest revision as of 11:46, 15 April 2022

Alert.png This article is Deprecated and has been moved to https://confluence.egi.eu/display/EGIBG/SVG.