Spotlight on Software Assurance and Secure Coding

Bart & Elisa at Cal-Poly Pomona, 09/27/19

Software assurance is the secure design,coding, and assessment of software to ensure it is free from vulnerabilities and works as intended. Since its inception, Trusted CI has dedicated a portion of its engagements and community outreach to software assurance. Much of this work has been led by Profs. Barton P. Miller and Elisa Heymann from the University of Wisconsin-Madison. Through conducting engagements, training events, presenting talks, and building curricula, Bart and Elisa strive to teach programmers, analysts, and managers how to design and program secure software, and how to assess  software to find  flaws and make the software more difficult to be hacked.

Bart and Elisa have conducted numerous engagements for Trusted CI and other organizations. During one engagement for Trusted CI they conducted an in-depth vulnerability assessment of Singularity, an open source container platform optimized for high-performance computing (HPC) and scientific environments. The Open Science Grid engagement involved a vulnerability assessment of OSG's installment of HTCondor, a program that manages jobs submitted to the batch system. In another collaboration outside of Trusted CI, they evaluated Total Soft Bank's (TSB) Terminal Operating System, a system for managing maritime freight shipping, including that manages about 40 percent of container terminals in the world. That work resulted in significant improvements in the security of international shipping, reported in a paper published in Port Technology International.

The pair has conducted workshops for Internet2, Supercomputing, Science Gateways Community Institute (SGCI), IEEE, O’Reilly, the New Jersey FAA; and have traveled to Australia, Germany, South America, and India to give trainings. Much of their work is publicly accessible to broadcast it out to the widest audience possible. And their course, “Introduction to Software Security,” has recently been added to UW-Madison’s Spring 2020 undergrad curriculum. A pilot version of the course had 120 students enrolled, they are optimistic the spring course will be well attended. These training resources focus on real scenarios and hands-on learning to make a lasting impact on students. The training exercises have evolved over time to include different languages and operating systems. It should be noted that, depending on the language, some security problems can be reduced, but they don’t entirely go away.

The future of secure coding relies on as much education as possible. The number of people writing programs has increased at a breathtaking rate. The resources available to them must scale to meet these demands.

Updates about upcoming Trusted CI trainings are regularly posted on our home page. Applications for an engagement with Trusted CI during the early 2020 session are due October 2nd.

Trusted CI renewed through 2024

We're extremely happy to announce that Trusted CI has been renewed as the NSF Cybersecurity Center of Excellence through 2024 under NSF award 1920430. We thank the community for their support in this endeavor and look forward to our continued collaboration to advance the trustworthy nature of NSF science.

For more information, please see the press releases from Indiana University, NCSA and U. of Wisconsin, as well as other press coverage: Indianapolis Business Journal, HPCWire, Indiana Daily Student.

CCoE Webinar September 23rd at 11am ET: Jupyter Security at LLNL with Thomas Mendoza

Thomas Mendoza is presenting the talk "Jupyter Security at Lawrence Livermore National Laboratory" on Monday September 23rd at 11am (Eastern).

Please register here. Check spam/junk folder for registration confirmation email.

Jupyter Notebooks have become tremendously popular for creating, sharing and reproducing science. While they are relatively easy to setup and use, there has (until recently) been little concern regarding the security implications of running these Notebooks. This presentation will cover the developments and practices used at Lawrence Livermore National Laboratory to secure notebooks running in multi-tenant, HPC environments.

Speaker Bio:
Thomas Mendoza is a staff Computer Scientist at LLNL working for Livermore Computing’s HPC center on web architecture and security.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Trusted CI Finishes Engagement with the American Museum of Natural History

The American Museum of Natural History (AMNH) conducts research and education activities spanning multiple branches of science. Through the National Science Foundation's Campus Cyberinfrastructure (CC*) program (NSF OAC-1827153), AMNH developed and installed a Science DMZ to enable high speed transfer of large data sets. Connections were deployed regionally via NYSERnet and nationally via Internet2. Additionally, AMNH's ADFS identity management system was federated with InCommon to give researchers access to Globus data transfer nodes (DTNs).

Trusted CI's engagement with AMNH initially focused on developing an information security program tailored to the new Science DMZ. This effort started by reviewing existing AMNH policies and procedures which might apply to the Science DMZ. After this initial examination, it was decided that the accelerated timeline for installation and configuration of both the Science DMZ and the ADFS federation with InCommon left little time for refinement of a few security policy documents. Instead, effort was focused on fine-tuning system configuration for the Science DMZ by consulting outside expertise from ESnet.

Trusted CI documented the activities of this engagement in a final report. AMNH intends to document the processes of installation and configuration of their Science DMZ and the federation of their ADFS identity management system with InCommon. This documentation may give other similarly sized institutions a good starting point for installation of a Science DMZ or ADFS integration with InCommon.

The Trusted CI-American Museum of Natural History engagement began January 2019 and finished June 2019.

Trusted CI begins engagement with SLATE

SLATE accelerates collaborative scientific computing through a secure container orchestration framework focused on the Science DMZ, enabling creation of advanced multi-institution platforms and novel science gateways.  The ATLAS collaboration at the CERN Large Hadron Collider has an R&D program utilizing SLATE to centrally operate a distributed data delivery network having service endpoints at multiple computing facilities in the U.S., CERN, the UK and Germany, and has evaluated a cache deployed using SLATE within the ESnet backbone.  Similar approaches are already in production (the Open Science Grid data federation which is implemented in part using the Pacific Research Platform and Internet2) supporting LIGO and other science domains but as yet lack a generalized trust framework.  While innovation of the  new trust model initially is occurring in the context of the OSG and the worldwide LHC computing grid (WLCG), trusted federated edge infrastructures enabling operation of advanced computing platforms will in future be necessary to sustain a wide range of data intensive science disciplines requiring shared national and international cyberinfrastructure.

The deployment and operation of software through containerized edge services raises issues of trust between many stakeholders with different perspectives. Resource providers require guarantees that services running within their infrastructure are secure and operated within site policies; platform service developers and operators require flexibility to continuously deliver and compose new cyberinfrastructure supporting their scientific collaborations; edge cluster administrators need visibility and operational awareness while delegating some of their traditional deploy and operate responsibilities to centralized platform teams, following a NoOps model; and finally, the application workloads from end-user science communities rely on the foundational capabilities implemented by platform services to realize the full potential of shared cyberinfrastructure.  This engagement will focus on developing SLATE’s cybersecurity program in a way that  balances these needs.

The Trusted CI-SLATE engagement began July 2019 and is scheduled to conclude by the end of December 2019.  For additional information on SLATE, please refer to the paper,  “Building the SLATE Platform,” published in PEARC18.  Trusted CI will document the activities of this engagement in a final report to be made available to the public.

Trusted CI co-PI Jim Marsteller heading to Penn State University

With both excitement and sadness, I share with the Trusted CI community that Jim Marsteller, one of Trusted CI’s founders and a long-time leader of the NSF Cybersecurity Summit Program Committee and the Large Facility Security Team, will be leaving Trusted CI as part of moving from PSC to Penn State in September.

We’re excited for Jim in his new role at Penn State and wish him all the best. We are very glad that he is staying in the higher education family that is so important to Trusted CI’s mission of supporting research and look forward to continuing to work with Jim in his new role.

Please stay tuned for more news on how Trusted CI will adapt to this change of leadership.

Von - Trusted CI PI and Director