Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

QosCosGrid Initial Security assessment

From EGIWiki
Jump to navigation Jump to search

This wiki page documents the progress of the QCG initial security assessment, from first contact to conclusion on whether to proceed or not.

The final security assessment of the QCG 2.6.1 is available here.

The security architecture of the QosCosGrid suite is available at http://apps.man.poznan.pl/trac/qcg/wiki/SecurityArchitecture


The following persons are contacts for the QosCosGrid Technology Provider for security related issues:

  • Tomasz Piontek <piontek -at- man.poznan.pl>
  • Mariusz Mamoński <mamonski -at- man.poznan.pl>
  • Bartosz Bosak <bbosak -at- man.poznan.pl>


This has sparked the following questions:

  1. A number of security flaws were found. I would be interested in:
    1. Which specific vulnerabilities were found?
    2. Out of those, which ones were fixed?
    3. Which ones were not fixed in QCG2.6.1?
  2. The report does not explicitly state whether there are remaining open vulnerabilities
  3. Certain methodologies were employed with a specific set of tools.
    1. Is it possible to provide details and results of specific tests? Perhaps to a limited distribution list (initially, once QCG would be provisioned, then full disclosure would have to be provided within a well-defined distribution list)
  4. Have there been dedicated tests around components that require root privileges while running?
    1. Perhaps these were implicitly covered by the actual tests done; perhaps

The partial answer from QCG (Tomasz Piontek)was:

  1. All known vulnerabilities in QCG has been fixed, and
  2. No significant security flaws in the tested version were found in the QosCosGrid suite.
  3. The part of code running with root privileges was checked by tools and additionally was read and analyzed "manually" by members of Security Team. Asking for the audit we requested this part to be checked meticulously.


On 18 May 2012 Linda Cornwall, SCG chair wrote: 

Dear Michel, Tomasz,

"QosCosGrid 2.6.1 middleware final security audit results" was discussed during the 
EGI SVG monthly meeting on 16th May 2012.

It is clear that the development team take security seriously, and have carried out 
detailed code analysis and testing of this software to detect and address any security flaws.

It would have been nice to have been able to see the full report, however since this 
is likely to be in Polish we realize that it is not practical.  We consider the 
summary report to be adequate in this case.

Ideally, we would like to also see a review of the architecture, focussing on security, 
including an analysis of how the components work together.

If an answer is needed in the next few days, we would say we have no problem with the 
QosCos Grid middleware being made available on the EGI UMD. However, if an urgent 
answer is not needed one member of the team would like to look further at the architecture 
and information on the web page.

We also consider examining the architecture from a security viewpoint as important for 
future decisions on whether middleware should be allowed to be used in the EGI 
infrastructure, and plan to develop some general questions and criteria for accepting 
new middleware in the coming months.

Regards,

Linda Cornwall.
Retrieved from "https://wiki.egi.eu/w/index.php?title=QosCosGrid_Initial_Security_assessment&oldid=42606"