Contribute to Open Source. Search issue labels to find the right project for you!

[PROCEDURES] Security policy

galaxyproject/galaxy

FAQ:

  • Who has time for this?
    • I volunteer as tribute.
    • @jmchilton would as well, if there was support from the PIs. xref https://github.com/galaxyproject/galaxy/pull/4071#issuecomment-301909868
    • I’m sure that we are not alone in this.
  • This is a big commitment
    • Indeed! Time to build a security sub-team who can share duties.
    • The biggest time commitment is testing against old versions of galaxy and ensuring patches work. Hopefully his can be atmeliorated by jenkins (or travis) test matricies and spending time build reported security faults into PoC exploits that can be run and tested automatically.
  • 17.09:
    • Unless there is just overwhelming support, I’ll be available at GCC to defend this as useful and necessary.
  • “we’re already short on time, why is this worth devoting time to?
    • my (initial) counters are, in brief:
      • deployers and their universities care (see automated scan reports people send)
      • based on committers mailing list traffic this will be low commitment unless the individuals are enthusiastic about adding more features
      • we’re constantly adding new <s>attack vectors</s> features like GIEs. If there’s a team of security minded folks, we have some points of contact for “hey would this make things worse in terms of security? How can we make this feature more palatable for admins and security folks? Is there documentation we should add that people should be aware of?”

This is being opened as a procedures PR because it really needs buy in from stakeholders. @jmchilton said it better than I can:

I’d also not merge this until a few people who actually fund Galaxy development sign off on it - perhaps we could ping the three PIs on the final real [PROCEDURES] PR and get at least a couple :+1:s from them.

From my various hats:

  • As a developer, we should have an aggressive security posture and attack our own infrastructure regularly to ensure we’re not shipping exploits to unsuspecting administrators.
  • As an admin, I want the sort of transparency and accountability described in this document.
  • As a white hat, I like the assurances that the team will respond to my vulnerability reports efficiently.
Updated 02/06/2017 19:58 11 Comments

Fork me on GitHub