GenApp (NSF OAC-1740097) is a tool for rapidly generating science gateways. The goal of GenApp is to provide a graphical frontend and associated server backend for command line scientific applications. Trusted CI began an engagement with GenApp in January 2018, and completed the engagement in June 2018.
The engagement focused on performing a security review of the GenApp codebase and the various web applications generated by GenApp, as well as evaluating the technologies and architectures utilized by the GenApp development framework. Trusted CI worked with the GenApp team to create architectural diagrams, ran automated tools to analyze GenApp systems, and manually inspected key components of source code for vulnerabilities.
Findings included the need for more systematic sanitization of user input, keeping libraries up to date, and recommendations for secure settings of web services of GenApp-generated applications.
The GenApp staff has graciously consented to publication of the engagement report after a sufficient period to implement suggestions for remediation of issues. Trusted CI will contact GenApp towards the end of 2018 to verify that issues have been addressed, after which the engagement report will be made available to the public. The hope is that other NSF-funded projects which are primarily software-based can learn from the tasks accomplished during this engagement.
Showing posts with label GenApp. Show all posts
Showing posts with label GenApp. Show all posts
Friday, June 29, 2018
Wednesday, February 14, 2018
CTSC Begins Engagement with GenApp
GenApp (NSF OAC-1740097) is a tool for rapidly generating science gateways. The goal of GenApp is to provide a graphical frontend for command line scientific applications. This is accomplished by creating JSON configuration files which specify input and output parameters for the scientific application, as well as parameters for the GUI elements of the resulting graphical frontend.
The most used GenApp-generated science gateway (SASSIE2), which is focused on the small-angle scattering field, has over 500 registered users and 16K jobs submitted through the gateway in 2017. GenApp-generated gateways are running on dedicated local resources as well as cloud resources, primarily NSF Jetstream at this time, but such functionality has also been tested on AWS.
As vulnerabilities present in GenApp may lead to vulnerabilities in the generated gateway applications, it is imperative to address any security issues which may be in the GenApp framework, to protect the integrity of the gateway applications and the computing platforms they use. CTSC will review GenApp's design and architecture in attempt to identify potential security issues and recommend remediations. CTSC will also use code analysis tools and web-based scanning tools on both the GenApp frontend-generation engine as well as the several web frontends created by the GenApp framework.
The CTSC-GenApp engagement began January 2018 and is scheduled to conclude by the end of June 2018.
The most used GenApp-generated science gateway (SASSIE2), which is focused on the small-angle scattering field, has over 500 registered users and 16K jobs submitted through the gateway in 2017. GenApp-generated gateways are running on dedicated local resources as well as cloud resources, primarily NSF Jetstream at this time, but such functionality has also been tested on AWS.
As vulnerabilities present in GenApp may lead to vulnerabilities in the generated gateway applications, it is imperative to address any security issues which may be in the GenApp framework, to protect the integrity of the gateway applications and the computing platforms they use. CTSC will review GenApp's design and architecture in attempt to identify potential security issues and recommend remediations. CTSC will also use code analysis tools and web-based scanning tools on both the GenApp frontend-generation engine as well as the several web frontends created by the GenApp framework.
The CTSC-GenApp engagement began January 2018 and is scheduled to conclude by the end of June 2018.
Subscribe to:
Posts (Atom)