EGI Software Vulnerability Group and Risk Assessment Team

The EGI Software Vulnerability Group (SVG) Linda Cornwall, STFC EGI Conference and INDIGO Summit 2017 www.egi.eu This work by EGI.eu is licensed under a Creative Commons Attribution 4.0 International License Creative Commons Attribution 4.0 International License.

Purpose of SVG Preventing Security incidents In EGI the majority of the work done by the security teams goes into preventing incidents We can t prevent all security incidents Incidents can occur due to exploitation of software vulnerabilities we want to keep these to a minimum EGI Software Vulnerability Group purpose is To minimize the risk to the EGI infrastructure arising from software vulnerabilities EGI Conference and INDIGO Summit SVG Linda Cornwall - 10thMay 2017 4/12/2025 2

Vulnerability Handling Largest activity is handling Software Vulnerabilities reported which includes: Vulnerabilities announced by Software Distributors which may be relevant to us such as linux kernel, other linux software Cloud enabling software Vulnerabilities reported to us by those who discover them, in software in the EGI repository other repositories often produced by people we know, e.g. Grid Middleware and collaborating projects and institutes. 1000s of vulnerabilities are discovered each year SVG deals with those which are serious for EGI Advises sites to take action on relevant and serious vulnerabilities SVG deals with ones in Software developed by ourselves or our collaborators EGI Conference and INDIGO Summit SVG Linda Cornwall - 10thMay 2017 4/12/2025 3

EGI SVG Risk Assessment Team (RAT) The EGI SVG RAT is the group of people who handle software vulnerabilities for EGI RAT members mostly volunteer/invited effort Software Security experts, Grid and Cloud software and deployment experts, experienced sysadmins, plus all members of the EGI IRTF Have access to information in the EGI vulnerability handling tracker Agree by e-mail not to disclose info learnt except as part of the procedure without the agreement of SVG All IRTF (Incident Response Task Force) members Activity depends on having a number of RAT members Small fraction of people s time, lots of expertise needed. EGI Conference and INDIGO Summit SVG Linda Cornwall - 10thMay 2017 4/12/2025 4

Basic Method of handling vulnerabilities reported Anyone may report an issue by e-mail to report-vulnerability@egi.eu If it has not been announced, SVG contacts the software provider and the software provider investigates (with SVG member, reporter, others) The relevance and effect in EGI are determined If relevant to EGI the risk in the EGI environment is assessed, and put in 1 of 4 categories Critical , High , Moderate or Low If it has not been fixed, Target Date (TD) for resolution is set - High 6 weeks, Moderate 4 months, Low 1 year Advisory is issued by SVG When the vulnerability is fixed if EGI SVG is the main handler of vulnerabilities for this software, or software is in EGI Repository regardless of the risk. If the issue is Critical or High in the EGI infrastructure If we think there is a good reason to issue an advisory to the sites. CSIRT monitors for Critical and High risk vulnerabilities EGI Conference and INDIGO Summit SVG Linda Cornwall - 10thMay 2017 4/12/2025 5

SVG evolving Beginning of EGI SVG geared to handle vulnerabilities in Grid Middleware and other software in the EGI UMD. EGI CISRT (Computer Security Incident Response Team) handled vulnerabilities in the linux kernel. EGI was quite homogenous, Grid Technology only A couple of years ago All IRTF members joined SVG All types of vulnerability Risk assessed by the RAT All advisories in 1 place EGI Conference and INDIGO Summit SVG Linda Cornwall - 10thMay 2017 4/12/2025 6

Late 2015 Major Revision of issue handling procedure Include Linux operating system, kernel Previously handled by CSIRT Federated Cloud Issues in Cloud enabling Software VM images General wider range of software, less homogenous Less Grid focus SVG RAT members may not know so much about it More need to ask those who do, e.g. SW providers for issues reported to us EGI Conference and INDIGO Summit SVG Linda Cornwall - 10thMay 2017 4/12/2025 7

Wider range people in the RAT Earlier RAT members were Grid Middleware Experts IRTF consists of those who take a Security Officer on Duty role Important for their expertise Important to have a consistent approach for all wide ranging vulnerabilities Important that they see issues, and can take urgent action if necessary Several Cloud experts have joined the RAT EGI Conference and INDIGO Summit SVG Linda Cornwall - 10thMay 2017 4/12/2025 8

Software Checklist SVG and other security teams cannot be experts on all software used on the EGI infrastructure Nor can security teams dictate what software is in use Those selecting or developing software should think about maintainability and security Checklist produced to help 10 things to think about Helps avoid some of the obvious/common problems Take 5 mins to check against this list if you think about deploying new software, or write software https://wiki.egi.eu/wiki/SVG:Software_Security_Checklist EGI Conference and INDIGO Summit SVG Linda Cornwall - 10thMay 2017 4/12/2025 9

Further revision to SVG issue handling in progress Clarifying/improving description and criteria for the 4 risk categories Critical Vulnerabilities Where there isn t a fix have said we handle on case by case basis Suggested steps, based on recent situations Tie in better with the CSIRT operational handling Clarify which steps are SVG, which IRTF In some cases IRTF has tools to contact specific sites, which SVG doesn t have EGI Conference and INDIGO Summit SVG Linda Cornwall - 10thMay 2017 4/12/2025 10

Other Revisions planned Another look at Cloud related handling From 18 months experience Improve how to contact VM Endorsers and operators Some cases where advising on configuration Check for bad configuration, may or may not include a risk Some cases where sites should update, but risk difficult to establish as it depends on the specific site configuration Sometimes we may say Up to HIGH EGI Conference and INDIGO Summit SVG Linda Cornwall - 10thMay 2017 4/12/2025 11

Some Numbers Year Number of Vulnerabilities Number of advisories CRITICAL HIGH 2011 34 14 3 6 2012 22 17 2 4 2013 38 15 3 4 2014 36 26 6 11 2015 46 34 8 14 2016 41 26 6 8 2017 (to May) 26 10 1 6* * 2 up to HIGH EGI Conference and INDIGO Summit SVG Linda Cornwall - 10thMay 2017 4/12/2025 12

If you find a vulnerability.. IF it has not been announced publicly DO NOT Discuss on a mailing list especially one with an open subscription policy or which is archived publically DO NOT Post information on a web page DO NOT Publicise in any way without agreement of SVG DO report to SVG via report-vulnerability@egi.eu This creates a ticket in the report-vulnerability tracker, which will be seen by the SVG Risk Assessment Team Vulnerabilities announced publicly may be reported to this address too to alert SVG EGI Conference and INDIGO Summit SVG Linda Cornwall - 10thMay 2017 4/12/2025 13

Detailed vulnerability handling procedure In the EGI Doc server at https://documents.egi.eu/secure/ShowDocument?docid=2538 The procedure for handling software vulnerabilities is approved by the EGI Operations Management Board (OMB) This helps cover us in the case someone e.g. complains if a vulnerability is exploited while we are waiting for a fix. Why didn t you tell us about it? Currently under revision EGI SVG Wiki at https://wiki.egi.eu/wiki/SVG EGI Conference and INDIGO Summit SVG Linda Cornwall - 10thMay 2017 4/12/2025 14

Thank you for your attention. Questions? www.egi.eu This work by EGI.eu is licensed under a Creative Commons Attribution 4.0 International License Creative Commons Attribution 4.0 International License.