Trusted CI Wraps Up Engagement with Jupyter Security Coordinators

Project Jupyter is an open-source project consisting of several products, including Jupyter Notebook/Server, Jupyter Hub, and JupyterLab, which are used throughout the NSF community. This Trusted CI engagement was originally motivated by a Jupyter Security Best Practices Workshop tentatively scheduled for April 2022. Due to the ongoing pandemic, the workshop has been canceled, and alternative avenues for discussion of Jupyter security topics are being pursued. 

Regardless, the engagees agreed that there was value in continuing the original engagement tasks, which include the following.

• Perform a high-level survey of existing Jupyter documentation with a focus on the security aspects of installation and configuration. Identify gaps and suggest recommendations for improvement.
• Identify common Jupyter deployment use-cases as targets for Jupyter Security Best Practices documentation.
• Write security documentation for as many of these use-cases as time permits.
  

Three documents were produced from these engagement tasks.

• A summary of all existing Jupyter documentation focused on security aspects of deployment and configuration. This survey was presented to the Jupyter community via Jupyter's Discourse.
• Suggestions for revisions to Jupyter Notebook documentation related to security of a single-user (e.g., laptop) installation.
• Suggestions for revisions to JupyterHub documentation related to security of a single-server / multi-user (e.g., small scientific project) installation.
  

All documentation produced during this engagement has been published to a GitHub repository. 

Concurrent with this Trusted CI engagement, the Jupyter Security Coordination Team began working with the Jupyter Steering Council to address security issues across the Jupyter project as a whole. This effort led to the following milestones.

• Create a high-level Jupyter Security page on the Jupyter.org site.
• Establish a Jupyter Security Subproject, with bi-weekly meetings open to Jupyter community members interested in the various security-related aspects of the project.
• Create a Jupyter Security GitHub repository.
• Start a proposal for a NumFOCUS security committee.
  

This engagement represents the start of a bigger conversation focused on Jupyter security concerns. It is our hope that the documentation produced by this engagement will be incorporated by Jupyter developers into their project documentation to assist administrators and users in securing their deployments.

Publication of the Trusted CI Guide to Securing Scientific Software

Trusted CI is pleased to announce the publication of its Guide to Securing Scientific Software (GS3).  The GS3 was produced over the course of 2021 by seven Trusted CI members with the goal of broadly improving the robustness of software used in scientific computing with respect to security. GS3 is the result of  the 2021 Trusted CI Annual Challenge on Software Assurance and the interviews we conducted with seven prominent scientific software development projects,  helping to  shape the team’s ideas about the community’s needs in software assurance.  The guide can be downloaded here:

Andrew Adams, Kay Avila, Elisa Heymann, Mark Krenz, Jason R. Lee, Barton Miller, and Sean Peisert. “Guide to Securing Scientific Software,” December 2021. DOI:10.5281/zenodo.5777646 https://doi.org/10.5281/zenodo.5777646

Note that this guide follows the publication of the team’s findings report from a few months ago:

Andrew Adams, Kay Avila, Elisa Heymann, Mark Krenz, Jason R. Lee, Barton Miller, and Sean Peisert. “The State of the Scientific Software World: Findings of the 2021 Trusted CI Software Assurance Annual Challenge Interviews,” September 2021.  https://hdl.handle.net/2022/26799

It is intended that the GS3 will continue to evolve and be further integrated into Trusted CI’s array of activities, including training and engagements, and so we encourage those interested in the subject of software assurance to continue to watch this blog for more information, and to also feel free to reach out to authors of the GS3 with questions and feedback.

For those interested in hearing more about the GS3, please (virtually) join the Trusted CI webinar focused on the topic of software assurance scheduled for February 28, 2022 at 10am Pacific / 1pm Eastern. https://www.trustedci.org/webinars  Register for the webinar.

Finally, Trusted CI gratefully acknowledges the contributions from the following teams to this effort: FABRIC, the Galaxy Project, High Performance SSH/SCP (HPN-SSH) by the Pittsburgh Supercomputing Center (PSC), Open OnDemand by the Ohio Supercomputer Center, Rolling Deck to Repository (R2R) by Columbia University, and the Vera C. Rubin Observatory, as well as to all those who provided feedback on early versions of this guide.

More information on Trusted CI’s work in software assurance can be found at https://www.trustedci.org/software-assurance