I remember the related discussion from last month (http://serials.infomotions.com/code4lib/archive/2012/201203/thread.html#777) -- and kudos for bringing it up again -- and I find I'm still of mixed feelings about it. Security is an important aspect of software development, no argument, but I wonder if there is something separate or distinct for libraries about the topic. What I do wonder about, though, is if there is a role for a generic-to-libraries security incident response team that would responsibly take in reports of security problems, work with vendors and/or software developers, and publish outcomes. I could see a need for such a team that was respected in our field and had contacts with people from the vendor community and FOSS projects.
On Apr 20, 2012, at 12:35 PM, Erin Germ wrote:
> At IUG I talked to a few people about security of library services and
> applications. Becky had mentioned doing a breakout session to discuss
> security at the next IUG or conference.
> Would anyone be interested in helping plan a breakout session and
> discussing security of library services and application? A recent
> presentation lead me to believe it would also be of great value to have a
> set of good practices that are very accessible to those who do not have a
> security, or even IT, background.
> Or would anyone be interested in forming an informal SEC4LIB discussion
> group. This would be an informal group to discuss existing security
> features and shortcomings of library services and applications. Ideally
> this would include a blend of high and low level skills and knowledge.
> I am personally interested in documenting known and patched vulnerabilities
> of current and past library software and services.
Assistant Director, Technology Services Development
[log in to unmask]
1438 West Peachtree Street NW
Atlanta, GA 30309
Toll Free: 800.999.8558
LYRASIS: Great Libraries. Strong Communities. Innovative Answers.