Fwd: [WSSSPE] NSF CI software development best practices and challenges

[Matthew Turk <matthewturk@xxxxxxxxx>]

Hi all,

This was sent to the WSSSPE mailing list, and I thought it would be of
interest here as well.

-Matt


---------- Forwarded message ----------
From: Von Welch <vwelch@xxxxxx>
Date: Wed, Dec 3, 2014 at 5:11 PM
Subject: [WSSSPE] NSF CI software development best practices and challenges
To: wssspe@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Cc: "Jim Basney (jbasney@xxxxxxxxxxxx)" <jbasney@xxxxxxxxxxxx>


Of possible interest to some of this group.

The NSF-funded CTSC project (trustedci.org) is undertaking a process
of documenting community best practices for developing reliable,
robust, and secure software, and unique challenges of NSF CI software
development projects.

 If you'd like to participate in or follow this activity, you would be
welcome to do so via the CTSC blog
(http://blog.trustedci.org/2014/12/software.html) or our Security
Discussion email list (http://trustedci.org/ctsc-email-lists/). I
won't cross-post to WSSSPE further further.

Regards,

Von Welch, CTSC PI


-------- Forwarded Message --------
Subject: [ctsc-discuss-l] unique security challenges for NSF CI
software development projects
Date: Wed, 3 Dec 2014 15:33:19 +0000
From: Basney, Jim <jbasney@xxxxxxxxxxxx>
Reply-To: ctsc-discuss-l@xxxxxxxxxxxxxxxx
To: discuss@xxxxxxxxxxxxx <discuss@xxxxxxxxxxxxx>

Hi,

I'm starting this discussion thread as a follow-up to today's blog post on
"Security for Software Cyberinfrastructure":
http://blog.trustedci.org/2014/12/software.html

Discussion on any related topics is welcome, but I'd particularly like to
ask for input on identifying unique security challenges for NSF CI
software development projects, such as those listed at
http://bit.ly/sw-ci. It seems to me that CI software projects share a lot
of challenges with other Open Source projects: geographically distributed
development teams, part-time developers, project membership changing over
time, lack of strict management hierarchy, lack of long-term
sustainability and maintenance. These challenges impact security - for
example, CI software not getting updated with security fixes/improvements
because the project funding has ended or the developer who understood that
part of the code has graduated and moved on.

As we saw with OpenSSL this year, the challenge of funding maintenance of
security-critical Open Source software is not unique to CI software. See
http://www.linux-magazine.com/Issues/2014/166/Financing-Crypto-Projects
for some discussion on this. The 2010 report from the NSF CI Software
Sustainability and Reusability workshop (http://hdl.handle.net/2022/6701)
gives a CI perspective on the sustainability issue.

Lastly, a note about the term "CI software". I think CI software is
software that's part of the infrastructure (or is expected to be
infrastructure in the future), in contrast to proof-of-concept demo
software or research prototypes. Though I think we all have examples of
proof-of-concept/demo/prototype software that unexpectedly ended up in
production, so the line is fuzzy. Still, I think we're not so concerned
about the security of software written and used by the same researcher,
but instead the software that's widely used by CI resource providers.

What do you think?

-Jim



_______________________________________________
WSSSPE mailing list
WSSSPE@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
http://lists.researchcomputing.org.uk/listinfo.cgi/wssspe-researchcomputing.org.uk