Wednesday, February 14, 2018

CTSC Begins Engagement with GenApp

GenApp (NSF OAC-1740097) is a tool for rapidly generating science gateways. The goal of GenApp is to provide a graphical frontend for command line scientific applications. This is accomplished by creating JSON configuration files which specify input and output parameters for the scientific application, as well as parameters for the GUI elements of the resulting graphical frontend.

The most used GenApp-generated science gateway (SASSIE2), which is focused on the small-angle scattering field, has over 500 registered users and 11K jobs submitted through the gateway in 2017. GenApp-generated gateways are running on dedicated local resources as well as cloud resources, primarily NSF Jetstream at this time, but such functionality has also been tested on AWS.

As vulnerabilities present in GenApp may lead to vulnerabilities in the generated gateway applications, it is imperative to address any security issues which may be in the GenApp framework, to protect the integrity of the gateway applications and the computing platforms they use. CTSC will review GenApp's design and architecture in attempt to identify potential security issues and recommend remediations. CTSC will also use code analysis tools and web-based scanning tools on both the GenApp frontend-generation engine as well as the several web frontends created by the GenApp framework.

The CTSC-GenApp engagement began January 2018 and is scheduled to conclude by the end of June 2018.

Monday, February 12, 2018

CCoE Webinar Feb. 26th at 11am ET: SmartProvenance

The University of Texas at Dallas's Dr. Murat Kantarcioglu is presenting the talk "SmartProvenance: A Distributed, Blockchain Based Data Provenance" on February 26th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
Blockchain technology has evolved from being an immutable ledger of transactions for cryptocurrencies to a programmable interactive environment for building distributed reliable applications. Although the blockchain technology has been used to address various challenges, to our knowledge none of the previous work focused on using Blockchain to develop a secure and immutable scientific data provenance management framework that automatically verifies the provenance records using off-chain techniques. In this talk, we discuss how we leverage Blockchain as a platform to facilitate trustworthy data provenance collection, verification, and management. The developed system utilizes smart contracts and open provenance model (OPM) to record immutable data trails. We show that our proposed framework can securely capture and validate provenance data that prevents any malicious modification to the captured data as long as the majority of the participants are honest.

Dr. Kantarcioglu is a Professor in the Computer Science Department and Director of the Data Security and Privacy Lab at The University of Texas at Dallas (UTD). Dr. Kantarcioglu’s research focuses on the integration of cyber security and data science.Presentations are recorded and include time for questions with the audience.
Join CTSC's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Friday, February 9, 2018

Deadline extended for REU student applications at IU.

The application deadline for undergraduate students at IU interested it working on software security research with CTSC has been extended to February 18th.

Please see the original post for more details.

Tuesday, February 6, 2018

Apply for an Engagement with the NSF Cybersecurity Center of Excellence (applications due April 6)

We are accepting applications for one-on-one engagements to be executed in July - December 2018.  Applications are due April 6, 2018. (Slots are limited and in demand, so this is a hard deadline!)

To learn more about the process and criteria, and to complete the application form, visit our site:


During CTSC’s first 5 years, we’ve conducted more than 20 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions.  We support a variety of engagement types including: assistance in developing, improving, or evaluating an information security program; software assurance-focused efforts; identity management; technology or architectural evaluation; training for staff; and more.  

As the NSF Cybersecurity Center of Excellence, CTSC’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.

CTSC Engages with Community to Develop Academic Cloud Provider Best Practices

A community of academic cloud service providers in collaboration with CTSC intend to identify and document a set of security best practices for both operators and software developers of academic cloud service providers.  The community that will spearhead this thrust is comprised of various R&E cloud service provider initiatives, including: Agave Platform (TACC - NSF OCA-SS2-SSI-1450437), Cornell University Center for Advanced Computing (NSF CI-1541215), CyVerse (UA - NSF DBI-0735191, DBI-1265383), and Jetstream (IU - NSF 1445604).

A “cloud resource” within an academic institution provides a means for R&E users to run virtual machines or containers such that they can have a custom software stack and isolation from other users. Additionally, virtual machines or container images can be curated and provided by the cloud resource operator, they can be provided by the user, or they can be provided by a third party.  This presents a number of challenges in the domain of cloud cybersecurity, e.g., users’ images are run with privileged access, images can be from unknown provenances, controls to reduce the risk an image may cause to both operator and other guests are limited, and managing security updates to images is cumbersome.

To address these issues, this engagement will, (i) identify issues and concerns geared for academic cloud operators and those developing software for cloud resource operators, (ii) survey existing security recommendations that govern generic cloud computing, (iii) aggregate those principals found in (ii) for the issues and concerns affecting academic cloud service providers or develop new principles for secure operation of a cloud resource, including specific measures to achieve those principles, and (iv) disseminate the set of principles to the NSF community to maximize its impact.

The overarching goal of this engagement is to improve cybersecurity for operators and users of academic clouds.

Wednesday, January 31, 2018

DEADLINE EXTENDED: Undergraduate Research Opportunity at IU

UPDATE:  We've extended the application deadline to February 18, 2018.  Please direct any questions to sesons@iu.edu .

The NSF Cybersecurity Center of Excellence (CTSC) is seeking an undergraduate research assistant at Indiana University Bloomington to aid in the development of a software engineering security guide for NSF-funded science and research projects. The student will work under the supervision of Chief Security Analyst Susan Sons to through data on unusually high-impact vulnerabilities across many types of software, as well as on which vulnerabilities most commonly have impact, to and in drawing and explaining conclusions about which types of software weaknesses or development problems should be focused on in developer education and in the first security evaluations on software in an unknown security state.

The student’s work would be comprised of about 60% mining existing databases on software weaknesses and vulnerability reports, about 20% writing up results on that process, with a focus on the top vulnerabilities, and about 20% fleshing out the teaching materials by integrating feedback from outside reviewers and information gained from testing various software tools’ abilities to identify these selected top vulnerabilities.

The student will be appropriately credited, based on work completed, in the final publication.

Schedule and Compensation:


Work will commence in mid February (schedule flexible) with conclusion in May 2018. The student will be expected to work 20 hours per week on a flexible schedule for a $300/week stipend for up to 22 weeks. Primary place of work is the IU Innovation Center at 2719 E Tenth Street, with remote work possible.

Required skills:
  • Experience using an appropriate programming language (e.g. Python or Perl) to search text and database records for information.
  • Ability to take on moderately-sized technical writing tasks.
  • Excellent task management skills: ability to take on tasks or projects, keep track of relevant information, ask for help when needed, and provide consistent feedback on project status with attention to quality and deadlines.
  • Interest in cybersecurity (experience a plus but not required).


Application Process:

Applications will be reviewed by a committee from CTSC, with a decision to be made by February 9th. Candidates should email the following information to Susan Sons, sesons@iu.edu, by 5pm Eastern on February 18th, 2018:
  1. University Transcripts
  2. Letter of Recommendation from a faculty member
  3. A 250-300 word essay answering “How will this experience benefit me?”
  4. A 250-300 word essay answering “What are my expectations for this experience?”
Applications will be reviewed by a panel of CTSC Analysts.

Tuesday, January 30, 2018

SGCI Webinar Feb. 14th at 1pm ET: Cybersecurity for the Modern Science Gateway.


CTSC's Von Welch and Mark Krenz are presenting the talk "Cybersecurity for the Modern Science Gateway" on February 14th at 1pm (Eastern) for the Science Gateway Community Institute's (SGCI) February Webinar.

Please register here.

  Science Gateways may be varied in their individual design and purpose, but can all benefit from a commonly used approach to Cybersecurity. Join security experts from the Center for Trustworthy Scientific Cyberinfrastructure (CTSC) as they present an easy to follow overview of the resources available to start or improve your gateway's cybersecurity program. From this presentation you will learn the three key cybersecurity aspects that science gateways share as well as the three goals your program should strive to achieve in cybersecurity program. An overview of techniques and tools will be shown to provide guidance to those not focused on cybersecurity, but wishing to address it's challenges.

This talk is presented by Von Welch and Mark Krenz. Von Welch is the Director and PI of the Center for Trustworthy Scientific Cyberinfrastructure and Director of the Center for Applied Cybersecurity Research at Indiana University. Mark Krenz is the Lead Security Analyst for the Center for Applied Cybersecurity Research at Indiana University.