The Grid Security Vulnerability Group (GSVG)

Purpose of the Grid Security Vulnerability Group (GSVG)

In EGEE II the Grid Services Security Vulnerability and Risk Assessment task was defined. The stated aim is "to incrementally make the Grid more secure and thus provide better availability and sustainability of the deployed infrastructure". The Grid Security Vulnerability Group aims to eliminate any vulnerabilities in the system and prevent any new ones from being introduced. This activity is continuing in EGEE III.

Note that the vulnerability group's role is not to handle incidents. Incidents should be reported according to the LCG incident handling procedure. The GSVG aims to help prevent incidents.

Overall security in EGEE III is described at http://www.eu-egee.org/security/

Handling Specific issues

The largest activity of the GSVG is the Grid Vulnerability issue handling. This handles specific potential issues of various types regardless of who finds them.

The Vulnerability Process describes the details, including the criteria for Risk Assessments. This was revised for EGEE-III and the latest version produced on 25th November 2009.

Reporting a Vulnerability

If you become aware of a vulnerability, you can inform the GSVG by e-mail to grid-vulnerability-report@cern.ch

Security Advisories

The GSVG produces advisories concerning grid security vulnerabilities according to the defined procedure.

GSVG deliverables

The GSVG produced the EGEE-II EU deliverable DSA 1.3, "Grid Services Security Vulnerability and Risk Analysis" document. This is available at https://edms.cern.ch/document/726139/

The GSVG has also produced milestone MSA1.8 for EGEE-III. The title is the same as the EGEE-II deliverable "Grid Security Vulnerability and Risk Analysis" with the subtitle "Grid Security Vulnerability detection, Risk Assessment, Handling, and Prevention strategies". https://edms.cern.ch/document/988573/

Vulnerability Prevention and detection

As well as handling specific vulnerabilities which we have discovered or have been reported to us, we also attempt to educate developers in defensive coding to prevent vulnerabilities. This forms our Vulnerability Prevention work in collaboration with others.

Vulnerability Detection is also carried out by some of our collaborators to find potenital vulnerabilities so they may be eliminated.