On this issue, the following paper may be of interest. It contemplates an orderly trade in exploits:
http://securityevaluators.com/files/papers/0daymarket.pdf . Thank you, Al Matthews, Software Dev, Atlanta University Center ________________________________________ From: Code for Libraries [CODE4LIB@LISTSERV.ND.EDU] On Behalf Of Peter Murray [peter.mur...@lyrasis.org] Sent: Friday, April 20, 2012 1:47 PM To: CODE4LIB@LISTSERV.ND.EDU Subject: Re: [CODE4LIB] SEC4LIB or "Hack, Crack, and Frakk" breakout sessions I remember the related discussion from last month (http://serials.infomotions.com/code4lib/archive/2012/201203/thread.html#777) -- and kudos for bringing it up again -- and I find I'm still of mixed feelings about it. Security is an important aspect of software development, no argument, but I wonder if there is something separate or distinct for libraries about the topic. What I do wonder about, though, is if there is a role for a generic-to-libraries security incident response team that would responsibly take in reports of security problems, work with vendors and/or software developers, and publish outcomes. I could see a need for such a team that was respected in our field and had contacts with people from the vendor community and FOSS projects. Peter On Apr 20, 2012, at 12:35 PM, Erin Germ wrote: > At IUG I talked to a few people about security of library services and > applications. Becky had mentioned doing a breakout session to discuss > security at the next IUG or conference. > > Would anyone be interested in helping plan a breakout session and > discussing security of library services and application? A recent > presentation lead me to believe it would also be of great value to have a > set of good practices that are very accessible to those who do not have a > security, or even IT, background. > > Or would anyone be interested in forming an informal SEC4LIB discussion > group. This would be an informal group to discuss existing security > features and shortcomings of library services and applications. Ideally > this would include a blend of high and low level skills and knowledge. > > I am personally interested in documenting known and patched vulnerabilities > of current and past library software and services. -- Peter Murray Assistant Director, Technology Services Development LYRASIS peter.mur...@lyrasis.org +1 678-235-2955 1438 West Peachtree Street NW Suite 200 Atlanta, GA 30309 Toll Free: 800.999.8558 Fax: 404.892.7879 www.lyrasis.org LYRASIS: Great Libraries. Strong Communities. Innovative Answers. ----------------------------------------- ************************************************************************************************** The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** IronMail scanned this email for viruses, vandals and malicious content. ** **************************************************************************************************