Security process for Bioconductor
1
1
Entering edit mode
rhnewman ▴ 30
@rhnewman-23769
Last seen 4.4 years ago

Is there any processes in place for the review of code, to check for vulnerabilities in Bioconductor or any of its dependencies, etc? How do you handle remediation's, notifications or updates in the event a vulnerability or other malicious component is discovered?

software error • 1.1k views
ADD COMMENT
0
Entering edit mode

can you provide context for your question?

ADD REPLY
1
Entering edit mode

Our Institute is heavy on security and we vet anything that gets installed in our environment as we were hit a couple of times with ransomware and other malicious activity. A couple of those were from "open-source" applications that our researchers introduced into the environment. Because of this, we have developed policy to determine which applications may be both useful and secure. It is worthy to note we do understand not everything is perfectly secure but we do try to mitigate potential issues up front to keep our environment as safe and secure but continue to give our researchers the tools to work suitably. Thank you.

ADD REPLY
2
Entering edit mode
@martin-morgan-1513
Last seen 4 months ago
United States

Bioconductor is not a monolithic application, but a (large) collection of software packages.

All new Bioconductor package contributions receive a technical review, but this does not specifically target security vulnerabilities.

Once accepted, maintainers make commits to our git repository. There is little code review at this stage.

Bioconductor packages are almost exclusively source (R, C, C++, Fortran, etc) code in git. The main dependencies are therefore R itself, and system library dependencies. Generally, system dependencies must be satisfied by the user, and hence vulnerabilities in these libraries are not under our control. R itself responds promptly to security vulnerabilities. We try to maintain our own systems in a reasonably current state, with regular application of security and other OS updates.

The path from our git repository to build system to public repository is through https.

Our response is like our response to this query -- prompt assessment of the concern and immediate action, e.g., removing problematic packages from our public repositories, notifying upstream sources, and if necessary sharing concerns with our community through this support site, our developer mailing list, and our community slack.

ADD COMMENT
1
Entering edit mode

From a developer's perspective, I can also add that our GitHub repositories from where we push code to Bioconductor are protected with SSH keys. I also have an additional security layer via 2FA phone authentication.

rhnewman, I have worked in a lot of different places and have seen varying degrees of security measures. In the most secure scenario, everything would be installed by a system administrator, even R packages, and users would have absolutely no rights to write any new file to disk. In other high secure environments, users would log in to a Virtual Environment where some more control is given to them, with the main / core IT system protected by being outside of this virtual environment.

It would be important to define multiple 'layers' of security, whereby, even if one is breached, a lot more [layers] have to be breached before any major damage can be done.

ADD REPLY
1
Entering edit mode

Thank you for your comments and the information in your response! I appreciate your time!

ADD REPLY

Login before adding your answer.

Traffic: 605 users visited in the last hour
Help About
FAQ
Access RSS
API
Stats

Use of this site constitutes acceptance of our User Agreement and Privacy Policy.

Powered by the version 2.3.6