Software Vulnerability Group Status update

Slides:

Advertisements

Similar presentations

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,

Advertisements

The GridPP Wiki The case in favour of it Generic, standard information (e.g. GridPP Approved VOs) Common use cases.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI The EGI Software Vulnerability Group and EMI Dr Linda Cornwall, STFC, Rutherford.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-InSPIRE The EGI Software Vulnerability Group (SVG) What is a Software Vulnerability?SVG membership and interaction with other groups Most people are.

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks From ROCs to NGIs The pole1 and pole 2 people.

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

The HEPiX IPv6 Working Group David Kelsey EGI TF, Prague 18 Sep 2012.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSVG issues handling Dr Linda Cornwall CCLRC.

Update on the Grid Security Vulnerability Group Linda Cornwall, MWSG7, Amsterdam 14 th December 2005

Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

The Grid Security Vulnerability Group (GSVG) Enabling Grids for E-sciencE EGEE-III INFSO-RI Eliminating and Preventing.

Security Vulnerability Identification and Reduction Linda Cornwal, JRA1, Brno 20 th June 2005

APEL Cloud Accounting Status and Plans APEL Team John Gordon.

Additional Services: Security and IPv6 David Kelsey STFC-RAL.

INFSO-RI SA2 ETICS2 first Review Valerio Venturi INFN Bruxelles, 3 April 2009 Infrastructure Support.

RI EGI-InSPIRE RI UMD 2 Decommissioning Status Cristina Aiftimiei EGI.eu.

Recent lessons learned: Operational Security David Kelsey CCLRC/RAL, UK GDB Meeting, BNL, 5 Sep 2006.

Why a Commercial Provider should Join the Academic Cloud Federation David Blundell Managing Director 100 Percent IT Ltd Simple, Flexible, Reliable.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Best Practices and Use cases David Bouvet,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud and Software Vulnerabilities Linda Cornwall, STFC 20.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Questionnaires to Cloud technology providers and sites Linda Cornwall, STFC,

EGEE-II Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The Grid Security Vulnerability Group Activity in Central.

EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number Federated Cloud Update.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI IPv6 Report for HEPiX CERN October 5, 2012 CERN 1

IGTF, WLCG, EGI and SHA-2 (and RFC proxies) David Kelsey (STFC-RAL and WLCG) TAGPMA meeting, Panama City Aug 2012.

Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.

SLAs with Software Provider. Scope “…declare the rights and responsibilities between EGI.eu and the Software Provider for a particular component.” Which.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI SA1.2 Plans 2013 Security Operations David Kelsey (STFC) 26/02/2013 Operations.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI D4.4 and the EGI review Dr Linda Cornwall 19 th Sept 2011 D4.41.

1 EGI Federated Cloud Architecture Matteo Turilli Senior Research Associate, OeRC, University of Oxford Chair – EGI Federated Clouds Task Force

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI SVG F2F Virtual Machines VM images, software run on VMS. 3 rd March 2015.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSVG issue handling summary Dr Linda Cornwall.

Daniel Kouril, EGI CSIRT meeting,

Lesson 19: Configuring and Managing Updates

SA1 Operation of EGI technical platforms

EGI Operations Management Board

Directory/Inventory – info sharing for security people

gLite->EMI2/UMD2 transition

Andrea Manzi, Oliver Keeble

WP5 Operations Peter Solagna SA1 work package leader EGI Foundation.

EGI Software Vulnerability Group (SVG) report to CSIRT F2F

FedCloud Blueprint Update

AppDB current status and proposed extensions

Dovetail project update

Solutions for federated services management EGI

EGI Security Risk Assessment

Accelerated Computing in Cloud

Monitoring of cloud services

IPv6 transition Vincenzo Spinoso EGI Operations.

Unsupported middleware migration update

Update - Security Policies

Operations Officer, EGI

New Types of Accounting Beyond CPU

UMD and Operations Vincenzo Spinoso EGI Operations.

Providing Advice To Clients

David Kelsey (STFC-RAL)

UMD 2 Decommissioning Status

Operations Management Board January 29

UMD 2 Decommissioning Status

Introduction slides Peter Solagna – EGI.eu

New employee induction for new staff and managers

Prevention is better than Cure

Presentation transcript:

Software Vulnerability Group Status update Linda Cornwall, STFC CSIRT F2F 17-19th Jan 2017 – Prague.

Reminders…. Purpose of SVG "To minimize the risk to the EGI infrastructure arising from software vulnerabilities“ Wiki at https://wiki.egi.eu/wiki/SVG Checklist for selecting/writing software https://wiki.egi.eu/wiki/SVG:Software_Security_Checklist Do we want to publicise this further? Or update? Main activity continues to be handling software vulnerabilities reported Advisories sent to sites and placed on the wiki

Issue handling Reminder Anyone may report an issue by e-mail to report-vulnerability@egi.eu If it has not been announced, SVG contacts the software provider and the software provider investigates (with SVG member, reporter, others) The relevance and effect in EGI are determined If relevant to EGI the risk in the EGI environment is assessed, and put in 1 of 4 categories – ‘Critical’, ‘High’, ‘Moderate’ or ‘Low’ If it has not been fixed, Target Date (TD) for resolution is set - ‘High’ 6 weeks, ‘Moderate’ 4 months, ‘Low’ 1 year

Advisories issued:-- Advisory is issued by SVG When the vulnerability is fixed if EGI SVG is the main handler of vulnerabilities for this software, or software is in an EGI Repository regardless of the risk. If the issue is ‘Critical’ or ‘High’ in the EGI infrastructure If we think there is a good reason to issue an advisory to the sites. Advisory is ‘Amber’ if:-- ‘High’ or ‘critical’ risk and information is not public There is some other reason to be Amber Usually ‘White’ after 2 weeks assuming it is fixed Otherwise usually white.

Numbers since start of 2016 (as of 12th January 2017) 41 reported issues in 2016 (4 already this year) 5 glite, 2 dCache, 6 kernel, 6 OS general, 6 Cloud enabling Risk – 6 ‘Critical’, 9 ‘High’, 10 ‘Moderate’ 26 advisories issued publicly 2016 table. (+ 2 this year already.) Since last CSIRT F2F meeting - 15 reported. At present 8 open tickets

Advisory Template Further minor revisions to the advisory template Most recently added the Context section Stating that the risk is in the context of the EGI infrastructure People may re-use if credit SVG. Also added some ‘skeleton’ references See https://wiki.egi.eu/wiki/SVG:General_Advisory_Template Suggestions for further improvements welcome.

Some other issues – deviation from procedure Ask sites to check – no risk assessment E.g. OpenStack Nova Metadata information leak Some vulnerabilities it’s enough for Enol/other Fed Cloud people to update in AppDB E.g. Docker escape vulnerability CVE-2016-9962 No advisory needed Possibly this is another part of the procedure.

Cloud Middleware Distribution CMD V1 now available http://repository.egi.eu/category/os-distribution/cmd-os-1/ This contains cloud enabling software on top of OpenStack Mitaka At present contains - Keystone-VOMS 9.0.3 - ooi 0.3.2 - gridsite 2.3.3 Cloud BDII Information provider 0.6.12 Openstack itself obtained from elsewhere (rather like OS) This will allow sites to easily install tools needed, AND SVG can handle in the same way as the UMD.

Other Cloud related VM Operator role got discussed again at FedCloud F2F at the end of November Some still not keen. I thought I’d won this battle in June 2016

Mailing lists related to Fed Cloud (Vincent) For the Critical Vulnerability handling & VA de-endorsement procedure, I think that we would need mailing lists for: VA owners + VA endorsers (Advisory) VM Operator (Advisory + de-endorsement notifications) For de-endorsement notification, it would be better to only notify people using it, but I don't think this is currently possible. But we do have VO security contacts via ops portal

Other Notes on Risk – needs updating – no progress yet https://wiki.egi.eu/wiki/SVG:Notes_On_Risk