SVG:SVG

From EGIWiki
(Redirected from SVG)
Jump to: navigation, search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template RAT/Membership Documents Assessment Secure Coding Info for SVG members

Contents

SVG


The EGI Software Vulnerability Group (SVG)

The purpose of the EGI Software Vulnerability Group is "To minimize the risk to the EGI infrastructure arising from software vulnerabilities“

The EGI SVG runs a procedure for handling software vulnerabilities reported which are relevant to the EGI infrastructure. This includes vulnerabilities announced by major providers, as well as software which is developed by collaborating projects and organisations used in the EGI infrastructure.

Advisories are issued by SVG as part of this process.

The EGI Operations Management Board (OMB) has formally approved the EGI Software Vulnerability Issue Handling Process

Software for use on the EGI infrastructure

SVG cannot dictate what software is in use on the infrastructure, especially in the rapidly changing environment.

If you are involved in selecting software for use in the EGI infrastructure, or developing software for use in the EGI infrastructure it is important that you take some of the responsibility for the security of that software.

To help, we have produced a Software Security Checklist of things that you should consider.

What if you find a software vulnerability?

If it has not been announced publicly:--

DO NOT discuss on a mailing list - especially one with an open subscription policy or public archive

DO NOT post information on a web page

DO NOT publicise in any way - e.g. to the media

IMMEDIATELY Report it to report-vulnerability (at) egi.eu

Vulnerabilities announced publicly may be reported to this address too, to ensure SVG is aware of them.

See Reporters View

Main Tasks of the EGI Software Vulnerability Group

This is the largest activity of the EGI SVG.

Incidents

If a vulnerability has been exploited, it is an incident, and is NOT handled by the EGI Software Vulnerability Group.

You should then follow the EGI CSIRT Incident Handling Procedure

Also see the EGI CSIRT Incident Reporting Wiki

Several people are in both the EGI Incident Response Task Force as well as the Software Vulnerability group, so sending to either will probably get forwarded fairly quickly to the right people.

The Software Vulnerability Issue Handling process

The EGI Software Vulnerability issue handling summary contains a brief summary of the issue handling process, and links to further information.

This has been updated and updates approved by the Operations Management Board in December 2015

Other activities

Vulnerability Assessment is the proactive examination of software in order to find vulnerabilities that may exist. At present there is no funding to carry out this activity.

The SVG also encourages developers to write Secure Code Secure Coding

A poster is available summarising the work of SVG File:PosterSVG-2011.pdf (This is a little old, and rather focussed on Grid Middleware)

Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox
Print/export