Monday, November 18, 2019

New at the NSF Cybersecurity Summit this year: Jupyter Security Training

Picture of Matthias Bussonnier teaching about Jupyter security
Matthias Bussonnier - Photo by Emily Sterneman
 This year at the NSF Cybersecurity Summit, Trusted CI expanded upon its training session offerings with a Jupyter security training/workshop on the first day (afternoon session). This training was led by Matthias Bussonnier (Jupyter Developer Team, UC Merced), Rick Wagner (Globus), Mark Krenz (Trusted CI), and Ishan Abhinit (Trusted CI). Twenty-one people attended the workshop, making it one of the more popular training sessions at the summit this year.

The session started with an around-the-room introduction of attendees and their experiences using Jupyter, including what they knew about Jupyter security and what they were hoping to get out of the workshop. Most attendees had little-to-no experience with Jupyter and were curious to learn more about  deploying and securing Jupyter. This was especially valuable information to Matthias to better help the development team understand the different scientific communities using Jupyter. The room seemed to be balanced between attendees from Information Technology and Research, which is a sign that Jupyter is more and more used and deployed at scale in various institutions.

The next 30 minutes were devoted to helping the audience understand Jupyter and its software landscape: notebooks, notebook server, IPython, JupyterHub, etc. This included an overview of Jupyter architecture, nomenclature where things run and how they communicate, the Threat Model, examples of attacks, and how to secure an installation.

This was followed by a hands-on exercise where Rick demonstrated how to access a remote Notebook Server and set up a JupyterHub instance using a default configuration. Then attendees learned to observe and secure components and their interactions one by one. Rick and Matthias ended the session by answering the questions attendees had asked at the beginning, defining Jupyter security best practices, and giving an overview of what can be done to improve security in the Jupyter Community. The slides from the workshop are available here. The group will be looking for ways to provide this training at future events.

According to Matthias, this was the first ever security focused training workshop on Jupyter; and the feedback from the first group of attendees will inform the shape this training will take in future iteration.