Some reckon we don't need an SVG
Why not just trust that Services update, rather like our mobile ‘phones?
Much of the software e.g. Linux may automatically update.
Why not just assume sites, services and facilities are competent and keep services patched?
Sites can easily look at advisories, make judgments for themselves.
Sites are responsible for their own security.
Sites might not find our advisories useful.
But we DO need an SVG
We want to be able to help data centres and services stay secure, in particular we want to help smaller sites or sites without a lot of experienced staff.
We want to give VOs and those using services confidence that their data is secure, which includes ensuring that all sites patch and handle vulnerabilities in a suitable manner.
Often sites and data centres are running software and implementing configurations which are non-standard, and it's important we help them ensure that they are secure.
Sometimes advisories, e.g. RedHat advisories are not correct in our environment. There may be action we need to ask sites to take which e.g. are not included in the RedHat advisory.
The risk associated with a vulnerability may be higher or lower according to how software is used in the EGI environment, according to how software is used and how services operate.
SVG may advise sites to do something other than patch, such as mitigating action if no patches are available.
EGI CSIRT monitors for sites which are not patched and operations may suspend sites which fail to patch, therefore its necessary to provide an advisory and state consequences if they fail to patch.
Some of the services depend on non-standard software to enable services, vulnerabilities in this software need to be handled, although there is less of this than there used to be in the past.