SecurityTeam

Differences between revisions 33 and 34
Revision 33 as of 2009-08-03 09:06:10
Size: 4147
Editor: 89
Comment: move link to usn to Knowledgebase
Revision 34 as of 2010-10-14 03:17:57
Size: 4154
Editor: modemcable144
Comment:
Deletions are marked like this. Additions are marked like this.
Line 34: Line 34:
 * [[UbuntuFirewall]]  * [[UncomplicatedFirewall]]

Introduction

The Ubuntu Security Team represents multiple teams of people dedicated to keeping Ubuntu and its users secure through fixing vulnerabilities and contributing to its security development. The primary teams are:

Vulnerabilities

A security vulnerability can be defined as "a mistake in software that can be directly used by a hacker to gain access to a system or network" -- Mitre. There are many different types of vulnerabilities, some of which are denial of service, gaining user or root privileges, data loss, and information disclosure. The Ubuntu Security Team and Ubuntu community work together to find and correct these mistakes through various activities.

Auditing

Searching for security vulnerabilities is usually referred to as auditing. The Ubuntu Security Team often performs audits on software before it is to be officially supported. Once vulnerabilities are found, the Security Team uses responsible disclosure to let others know about the issue. The Auditing page has more information.

Tracking

Most flaws in software are found by security researchers and users of the software. These flaws are tracked globally in the MITRE CVE database, and the Security Team will track issues that affect Ubuntu in the Ubuntu CVE Tracker. As new issues come in, they are evaluated, or triaged, then added to the CVE Tracker. As issues are fixed the CVEs are updated and retired.

For security vulnerabilities that do not have a CVE yet, a new bug is filed. The bug is triaged and if appropriate, a CVE requested by a member of the Security Team.

Fixing

After a flaw is found and assigned a CVE, it should be fixed. Oftentimes the author of the software will provide a patch, or a patch will be created by other developers, including the Ubuntu Security Team. Details for providing security updates to Ubuntu can be found in SecurityTeam/UpdateProcedures.

Testing

Before making the security update available, the update needs to be tested to see if it fixes the flaw and also doesn't introduce any regressions. The Security Team uses the QA Regression Testing suite when performing testing. QA Regression Testing has information on performing tests, checklists, scripts and various other information to help with testing.

Development

The Security Team also actively develops protections to help keep Ubuntu users safe from new vulnerabilities. Some projects that the Ubuntu Security Team actively develops are:

What You Can Do

Seem like fun? Head to the GettingInvolved page to found out how to contribute to the Security Team.

Sub-pages :

/AppArmorForPhabletKernels   /AppArmorForPreviousKernels   /AppArmorForSnappyKernels   /AppArmorPolicyReview   /Auditing   /BugTriage   /BuildEnvironment   /Contacts   /ESM   /FAQ   /ForDebianDevelopers   /GPGKeyTable   /GPGMigration   /GettingInvolved   /Header   /HighlightedPackages   /KnowledgeBase   /Meeting   /Members   /PIE   /Policies   /PublicationNotes   /ReleaseCycle   /ReleaseStatus   /Roadmap   /SecureBoot   /Specifications   /SponsorsQueue   /TestingEnvironment   /TestingMAAS   /TestingOpenStack   /UDS   /UbuntuCVETracker   /UpdateNotifications   /UpdatePreparation   /UpdateProcedures   /UpdatePublication   /WeeklyReport  

CategoryUbuntuTeams

SecurityTeam (last edited 2017-01-25 23:50:10 by emilyr)