The Role of EGI Software Vulnerability Group

EGI: Advanced Computing for Research www.egi.eu @EGI_eInfra The EGI Software Vulnerability Group (SVG) EGI Conference, 2ndOctober 2024 Linda Cornwall and the EGI SVG RAL/STFC/UKRI The work of the EGI Foundation is partly funded by the European Commission under H2020 Framework Programme

Purpose of the EGI Software Vulnerability Group To minimize the risk of security incidents due to software vulnerabilities. www.egi.eu @EGI_eInfra 2 21/03/2025

Why do we need SVG? (reminder) Sites should patch anyway, sites are responsible for their own security Sites should not be relying entirely on advisories from SVG. Since EGI CSIRT monitors for sites which are have patched certain vulnerabilities, and operations may suspend sites which fail to patch, it is necessary to provide an advisory and state consequences if they fail to patch. Some software in use may be non-standard, e.g. written by those with whom we collaborate. (This is getting less common). The risk of a vulnerability may be different in our distributed environment. We want to give VOs and those using services confidence that their data is secure, which includes ensuring that all sites patch and handle vulnerabilities in a suitable and consistent manner. SVG should help sites stay secure sharing the load and knowledge www.egi.eu @EGI_eInfra 3 21/03/2025

Numbers in last year (and a bit) (Since 1st August 2023) 62 Vulnerabilities reported 32 advisories issued 8 Critical 20 High 4 Alert/Heads up/Information Public advisories now all on advisories.egi.eu www.egi.eu @EGI_eInfra 4 21/03/2025

Changes over the last year and a bit We have changed our advisory template Shorter/more focussed Works well with markdown as used on advisories.egi.eu o And links now work when we make public In line with what people wanted Approved Autumn 2023 by the OMB We now use a joint drafting tool (CERN CodiMD) to make our drafting of advisories more efficient Share our advisories with a few others, including the UK IRIS security team www.egi.eu @EGI_eInfra 5 21/03/2025

Scope Defining scope, determining whether an issue is in scope is proving tricky We define things as in scope if they are part of the EGI infrastructure In particular Grid, Cloud and the IT services EGI depends on. We don t know for sure exactly what is deployed Do we rely on the knowledge of the people within the SVG? Do we document what is in scope? Can we have some sort of database of what is in scope? We sometimes send an ALERT if we think something may affect some sites And ask sites If anyone becomes aware of any situation where this vulnerability has a significant impact on the EGI infrastructure, then please inform EGI SVG www.egi.eu @EGI_eInfra 6 21/03/2025

Scope (2) We sometimes send an INFORMATION instead of an advisory or an alert In particular to tell people that something being talked about does not affect us Sometimes CSIRT puts info on CSIRT web page for things not quite in scope Scope depends on participation, of people with appropriate knowledge Defining the scope, and getting the appropriate people to participate with the skills/knowledge is high priority We need more people with wider knowledge of software and how software is deployed and used in the EGI infrastructure to ensure everything our infrastructure depends on IS in scope, and we can handle all relevant vulnerabilities. www.egi.eu @EGI_eInfra 7 21/03/2025

Other plans Greater sharing of information with other teams We have made some advances on this in the last year, e.g. UK IRIS Can do more Looking into making restricted advisories available to sites via restricted web pages Possibly Confluence Updating our documentation Our procedure Our web pages www.egi.eu @EGI_eInfra 8 21/03/2025

SVG been going a long time We have been handling vulnerabilities for a long time Hopefully, we have helped prevent incidents There is no parallel Universe where this activity didn t take place, to compare to, in order to find out how many incidents have been prevented ! www.egi.eu @EGI_eInfra 9 21/03/2025

Invitation to be involved Getting more people involved in SVG is probably the highest priority We have great people in our team But need a few more, in particular to widen our knowledge base. Are you interested in being involved in the Software Vulnerability Group? A few % of your time could already make a difference The more who participate, the more the load can be shared Do you have expertise in software or software deployment and would be interested in helping us keep the infrastructures secure? This could be related to cloud, HTC, HPC, anything of relevance to EGI If you would like to be involved E-mail svg-rat .at. mailmain.egi.eu www.egi.eu @EGI_eInfra 10 21/03/2025

EGI: Advanced Computing for Research www.egi.eu @EGI_eInfra Thank you for your attention. Questions? This work by the EGI Foundation is licensed under a Creative Commons Attribution 4.0 International License. The work of the EGI Foundation is partly funded by the European Commission under H2020 Framework Programme