SecurityTeam
|
Size: 1418
Comment: template buildout
|
Size: 3380
Comment: small changes
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| [[Include(BuildingCommunity/SampleTeam/Header)]] | <<Include(SecurityTeam/Header)>> |
| Line 3: | Line 3: |
| ||<tablestyle="float:right; font-size: 0.9em; width:30%; background:#F1F1ED; background-repeat: no-repeat; background-position: 98% 0.5ex; margin: 0 0 1em 1em; padding: 0.5em;">'''Contents'''[[BR]][[TableOfContents]]|| | ||<tablestyle="float:right; font-size: 0.9em; width:30%; background:#F1F1ED; background-repeat: no-repeat; background-position: 98% 0.5ex; margin: 0 0 1em 1em; padding: 0.5em;"><<TableOfContents>>|| |
| Line 6: | Line 6: |
| = Introduction = ## Describe: ## the teams's purpose and community role ## the team tasks and work ## who might be interested in joining/getting involved with the team |
== Introduction == |
| Line 12: | Line 8: |
| = Contact = ## List the contact information of the team: Mailing-list, IRC channel and Web Forum as they may apply. Provide a link to the Launchpad page as a Team Member list if applicable. Consider how people will get in touch with you based on the contact information you supply. |
The Ubuntu Security Team represents multiple teams of people dedicated to keeping Ubuntu secure through fixing vulnerabilities and contributing to its security development. |
| Line 15: | Line 10: |
| = How to Contribute = ## Describe easy ways to contribute to the team. These should look a lot like the bulleted points on the ContributeToUbuntu wiki page. Link to more detailed subpages as necessary. |
== Vulnerabilities == A security vulnerability can be defined as ''"a mistake in software that can be directly used by a hacker to gain access to a system or network" -- [[http://cve.mitre.org/about/terminology.html|Mitre]].'' There are many different types of vulnerabilities, some of which are denial of service, gaining user or root privileges, data loss, and information disclosure. The Ubuntu Security Team and Ubuntu community work together to find and correct these mistakes through various activities. |
| Line 18: | Line 13: |
| = Projects = ## List the team's current projects and tasks as well as status and contact persons for each one. Make it easy for new people to know who to ask and where to go to get involved with a specific project. |
=== Auditing === Searching for security vulnerabilities is usually referred to as auditing. The Ubuntu Security Team often performs audits on software before it is to be [[MainInclusionProcess|officially supported]]. Once vulnerabilities are found, the SecurityTeam uses [[SecurityTeam/BugTriage#Private%20Bugs|responsible disclosure]] to let others know about the issue. For more information, please view [[SecurityTeam/Auditing|Auditing]]. |
| Line 21: | Line 16: |
| = Launchpad Membership Policy = ## Describe your Launchpad team membership policy here. |
=== Tracking === Most flaws in software are found by security researchers and users of the software. These flaws are tracked globally in the [[http://cve.mitre.org|MITRE CVE database]], and the Security Team will track issues that affect Ubuntu in the [[https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master|Ubuntu CVE Tracker]]. As new issues come in, they are evaluated, or [[SecurityTeam/BugTriage|triaged]], then added to the CVE Tracker. As issues are fixed the CVEs are updated and retired. |
| Line 24: | Line 19: |
| = Meetings = ## Link to Meeting Agendas and old meeting summaries here. |
=== Fixing === After a flaw is found and assigned a CVE, it must be fixed. Oftentimes the author of the software will provide a patch, or a patch will be developed by other developers, including the Ubuntu Security Team. Details for providing security updates to Ubuntu can be found in SecurityUpdateProcedures. === Testing === Before making the security update available, the update needs to be tested to see if it fixes the flaw and also doesn't introduce any regressions. The Security Team uses the [[https://code.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master|QA Regression Testing]] suite when performing testing. QA Regression Testing has information on performing tests, checklists, scripts and various other information to help with testing. == Development == The Security Team also actively develops protections to help keep Ubuntu users safe from new vulnerabilities. Some projects that the Ubuntu Security Team actively develops are: * [[AppArmor]] (see [[SecurityTeam/KnowledgeBase/AppArmorProfiles | AppArmorProfiles]] for existing default enforcing profiles in Ubuntu) * [[SELinux]] * Compiler flags ([[Security/HardeningWrapper|HardeningWrapper]]) * [[UbuntuFirewall]] == What You Can Do == Seem like fun? Head to the [[ServerTeam/GettingInvolved|GettingInvolved]] page to found out how to contribute to the SecurityTeam. |
| Line 28: | Line 36: |
| '''Sub-pages :''' [[Navigation(children,1)]] | '''Sub-pages :''' <<Navigation(children,1)>> |
Introduction
The Ubuntu Security Team represents multiple teams of people dedicated to keeping Ubuntu secure through fixing vulnerabilities and contributing to its security development.
Vulnerabilities
A security vulnerability can be defined as "a mistake in software that can be directly used by a hacker to gain access to a system or network" -- Mitre. There are many different types of vulnerabilities, some of which are denial of service, gaining user or root privileges, data loss, and information disclosure. The Ubuntu Security Team and Ubuntu community work together to find and correct these mistakes through various activities.
Auditing
Searching for security vulnerabilities is usually referred to as auditing. The Ubuntu Security Team often performs audits on software before it is to be officially supported. Once vulnerabilities are found, the SecurityTeam uses responsible disclosure to let others know about the issue. For more information, please view Auditing.
Tracking
Most flaws in software are found by security researchers and users of the software. These flaws are tracked globally in the MITRE CVE database, and the Security Team will track issues that affect Ubuntu in the Ubuntu CVE Tracker. As new issues come in, they are evaluated, or triaged, then added to the CVE Tracker. As issues are fixed the CVEs are updated and retired.
Fixing
After a flaw is found and assigned a CVE, it must be fixed. Oftentimes the author of the software will provide a patch, or a patch will be developed by other developers, including the Ubuntu Security Team. Details for providing security updates to Ubuntu can be found in SecurityUpdateProcedures.
Testing
Before making the security update available, the update needs to be tested to see if it fixes the flaw and also doesn't introduce any regressions. The Security Team uses the QA Regression Testing suite when performing testing. QA Regression Testing has information on performing tests, checklists, scripts and various other information to help with testing.
Development
The Security Team also actively develops protections to help keep Ubuntu users safe from new vulnerabilities. Some projects that the Ubuntu Security Team actively develops are:
AppArmor (see AppArmorProfiles for existing default enforcing profiles in Ubuntu)
Compiler flags (HardeningWrapper)
What You Can Do
Seem like fun? Head to the GettingInvolved page to found out how to contribute to the SecurityTeam.
Sub-pages :
SecurityTeam (last edited 2017-01-25 23:50:10 by emilyr)