[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Publicity] FOSDEM Security devroom submission



I have posted the following talk proposal to the FOSDEM Security
Devroom.  Feedback welcome.  Deadline is listed as "Tuesday 10
December", but 10 December is a Thursday; so probably best to get me
feedback before Tuesday 8 December  just in case. :-)

Title

Security response and open source: War stories from the XenProject
security response process

Abstract

The open-source software plays a vital role in our worldwide computing
infrastructure.  When vulnerabilities are discovered in our software,
our response can have a major impact on how much risk our end users are
exposed to.

The XenProject's security response process has been hardened and tested
over years of experience, and has weathered several storms.  This talk
will share some war stories from our security response process that
explain how we got to where it is today, so that you can learn the easy
way, from our experience, rather than the hard way, from your own
experience.

Full description

This talk will briefly cover the history of response processes -- from
non-disclosure to full disclosure to coordinated or "responsible"
disclosure, and pre-disclosure.

We'll then cover two major events -- XSA-7, the Intel SYSRET
vulnerability; and XSA-108 -- that highlighted some weaknesses in our
process, and how we tweaked the process in response.

Finally, we'll cover how we handled the a very controversial community
discussion after XSA-7 in a way which, we hope, gave everyone in the
community an opportunity to have their voice heard and counted, in spite
of the complete lack of consensus.

Bio

George Dunlap worked with the Xen project while a graduate student at
the University of Michigan before receiving his PhD in 2006. He has done
work in many areas of Xen, including performance analysis, scheduling,
and memory management. He was "release coordinator" for the Xen 4.3 and
4.4 relesases.  He has is also taking the position of technical lead in
the new CentOS Virt SIG.  He writes technical articles for the
xenproject.org blog, including one describing in detail the Intel SYSRET
vulnerability, and has had articles published in Linux.com.

George Dunlap is an experienced technical speaker.  Venues include
academic conferences (OSDI and VEE), project-focused conferences (Xen
Summit), general open-source conferences (FOSDEM, LinuxCon NA and
Europe), and customer training sessions for Citrix.

_______________________________________________
Publicity mailing list
Publicity@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.