EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud and Software Vulnerabilities Linda Cornwall, STFC 20 th January 2015 EGI Fed Cloud F2F st January 20151

EGI-InSPIRE RI What do we want? Software deployed on the Cloud infrastructure to not cause security problems that lead to security incidents This means, as a minimum:-- Software doesn’t have obvious security problems or basic security errors If software security vulnerabilities are found, then they are handled appropriately, product teams are easy to contact, and problem is fixed in a timely manner according to the severity, parties deploying software notified and able to update. 20th January

EGI-InSPIRE RI And when a vulnerability is found EGI SVG is able to handle according to an approved procedure Investigation by SVG and the development team If valid – carry out a risk assessment (Critical, High, Moderate or Low) Set Target Date for resolution according to Risk Advisory issued to sites when problem is fixed For e.g. linux announcements – only risk assess for our environment - advisory for high or critical Since Vulnerabilities handled consistently across EGI Grid infrastructure (see last slide to find more info) 20 th January

EGI-InSPIRE RI Some progress since Sept (Big data) Acceptance that this activity continues to be important in the Fed Cloud 4 new SVG members Alvaro Lopez Garcia, Enol Fernandez del Castillo (both Fed Cloud) Edward Karavakis (WLCG), Bartlomiej Balcerek Other new members are welcome, especially those with FedCloud technical expertise

EGI-InSPIRE RI Some clarification has occurred Fed cloud says ‘User’ is in change – which is what the policy group has called ‘VM Operator’ High skill level instantiates VMs See Security Policy for the Endorsement and Operation of Virtual Machine Images ‘End User’ – (e.g. scientist) connects to VMs to carry out their work Less skilled

EGI-InSPIRE RI Software the fed cloud depends on must be O.K. Started on Technology provider questionnaire Good for security critical software which Fed Cloud depends on (I’ve had no time to work on this recently) Possibility of smaller checklist, for all software Very basic checks, e.g. for insecure constructs, not validating user input. More detailed assessment for some, e.g. AAI No clear source of effort for this

EGI-InSPIRE RI VM Operator software VM operators also need to use secure software within their VMs Possibly Checklist For ‘End User’ access, certain methods or software could be assessed by EGI and recommended for use This is something that could add value to the EGI Fed cloud compared to using others

EGI-InSPIRE RI Vulnerability handling Main next step is to revise SVG vulnerability issue handling procedure To take account of Fed Cloud situation Commercial announcements, community s/w Cloud enabling s/w, VO software Contacts etc. All s/w on which EGI Fed cloud depends must be maintained

EGI-InSPIRE RI Software Security Support All software on which EGI fed cloud depends MUST be under security support I.e. someone must be available to fix any vulnerabilities found Minimum is if a research institute says someone unfunded is providing support in working time Problem if someone doing work as a hobby Do we really want to depend on hobby support?

EGI-InSPIRE RI Contacts for S/W enabling fed cloud It should be clear how to contact software providers, who are providing software which enables fed cloud For a large commercial provider their web page may provide details on how to report problems For community software, SVG should have direct contact details (persons, list.)

EGI-InSPIRE RI Contact –VO software VO specific software – i.e. that instantiated by a VM Operator – VO contact details acceptable. Needs to be clear to which VO something belongs No more than 1 between SVG and the development team E.g. contact VO security contacts, they know the development team VO software, software instantiated by VM Operator may get stopped if security probs

EGI-InSPIRE RI VM images and updates (if not discussed previously in security session) Images in AppDB must be kept up to date Endorser's job doesn’t end with the production of the image VM images must be kept up to date Short lived and re-instantiate or patched? Training/certification for endorsers?

EGI-InSPIRE RI SVG (re)-invigorate Possibly a F2F meeting, with new members and old Need to combine experience of established SVG members and new Cloud members Establish how we do vulnerability handling in the Fed Cloud

EGI-InSPIRE RI Software dependencies generally There is an issue that EGI is dependent on a lot of 3 rd party software Linux, OpenStack, OpenNebula, java, ….. Possibly EGI should consider whether our infrastructure can influence such software development and maintenance

EGI-InSPIRE RI Questions/Discussion ??

EGI-InSPIRE RI More Info on EGI SVG EGI SVG Wiki Basic vulnerability handling summary Approved issue handling procedure Presentation from EGI Community Forum resId=0&materialId=slides&confId= th Sept 2014 Linda Cornwall, STFC, Software security 16