On this issue, the following paper may be of interest. It contemplates an orderly trade in exploits:
http://securityevaluators.com/files/papers/0daymarket.pdf .
Thank you,
Al Matthews, Software Dev,
Atlanta University Center
________________________________________
From: Code for Libraries [[log in to unmask]] On Behalf Of Peter Murray [[log in to unmask]]
Sent: Friday, April 20, 2012 1:47 PM
To: [log in to unmask]
Subject: Re: [CODE4LIB] SEC4LIB or "Hack, Crack, and Frakk" breakout sessions
I remember the related discussion from last month (http://serials.infomotions.com/code4lib/archive/2012/201203/thread.html#777) -- and kudos for bringing it up again -- and I find I'm still of mixed feelings about it. Security is an important aspect of software development, no argument, but I wonder if there is something separate or distinct for libraries about the topic. What I do wonder about, though, is if there is a role for a generic-to-libraries security incident response team that would responsibly take in reports of security problems, work with vendors and/or software developers, and publish outcomes. I could see a need for such a team that was respected in our field and had contacts with people from the vendor community and FOSS projects.
Peter
On Apr 20, 2012, at 12:35 PM, Erin Germ wrote:
> At IUG I talked to a few people about security of library services and
> applications. Becky had mentioned doing a breakout session to discuss
> security at the next IUG or conference.
>
> Would anyone be interested in helping plan a breakout session and
> discussing security of library services and application? A recent
> presentation lead me to believe it would also be of great value to have a
> set of good practices that are very accessible to those who do not have a
> security, or even IT, background.
>
> Or would anyone be interested in forming an informal SEC4LIB discussion
> group. This would be an informal group to discuss existing security
> features and shortcomings of library services and applications. Ideally
> this would include a blend of high and low level skills and knowledge.
>
> I am personally interested in documenting known and patched vulnerabilities
> of current and past library software and services.
--
Peter Murray
Assistant Director, Technology Services Development
LYRASIS
[log in to unmask]
+1 678-235-2955
1438 West Peachtree Street NW
Suite 200
Atlanta, GA 30309
Toll Free: 800.999.8558
Fax: 404.892.7879
www.lyrasis.org
LYRASIS: Great Libraries. Strong Communities. Innovative Answers.
-----------------------------------------
**************************************************************************************************
The contents of this email and any attachments are confidential.
They are intended for the named recipient(s) only.
If you have received this email in error please notify the system
manager or the
sender immediately and do not disclose the contents to anyone or
make copies.
** IronMail scanned this email for viruses, vandals and malicious
content. **
**************************************************************************************************
|