Real World Security Response

Mark Cox, Consulting Engineer, Red Hat

Track: Linux, Security
Date: Thursday, July 27
Time: 10:45am - 11:30am
Location: F150

Every open source project has its own process and procedures on how to deal with vulnerabilities found in their code. This talk will take a look at how groups such as the Apache Software Foundation and OpenSSL project have set up security response processes and show when the process has worked and when it has gone horribly wrong.

We'll take a look at the impact and debate around informing distribution vendors such as Red Hat, how and when it's useful to involve CERTs and NISCC and what they're useful for. We'll look at where groups without the expertise or time to handle security issues on their own can go to get advice and help, how to manage the press and research firms.

We'll explain how the CVE (Common Vulnerabilities and Exposures) project works including how to allocate names and what they mean, and a brief look at the OVAL (Open Vulnerability Assessment Language), the National Vulnerability Database, and CVSS (Common Vulnerability Scoring System).

By looking at both the shared and different approaches, and through example, we can gain an understanding of why different groups take different approaches and the relatives merits of each decision.