Dear Dev Team,
We are planning on installing the Galaxy framework on our production systems and understandably we are trying to examine the exposure to security risks that we might experience with deploying the system. Has Galaxy been profiled for security flaws? Are there any areas of the system which are historically, or have recently been identified as having security problems?
Many thanks, Matt Goyder
----------------------------------------- Confidentiality Notice: The following mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. The recipient is responsible to maintain the confidentiality of this information and to use the information only for authorized purposes. If you are not the intended recipient (or authorized to receive information for the intended recipient), you are hereby notified that any review, use, disclosure, distribution, copying, printing, or action taken in reliance on the contents of this e-mail is strictly prohibited. If you have received this communication in error, please notify us immediately by reply e-mail and destroy all copies of the original message. Thank you.
Goyder, Matthew wrote:
Dear Dev Team,
We are planning on installing the Galaxy framework on our production systems and understandably we are trying to examine the exposure to security risks that we might experience with deploying the system. Has Galaxy been profiled for security flaws? Are there any areas of the system which are historically, or have recently been identified as having security problems?
Hi Matt,
Galaxy has not been extensively tested for security flaws, although we do evaluate code as it's added, and have a number of tests to ensure proper operation of Galaxy's own dataset security features.
As its primary function, Galaxy allows its users to execute command line tools, so this is a major security concern. However, when tools are run, characters significant to the shell are encoded so they will not be interpreted. This removes most of the concerns about running commands.
As with all such applications, Galaxy should be run as an unprivileged user, and with whatever secure environment is suitable at your site (chroot, jail, zone, virtual machine, or hand-built sandbox).
To date, we have had one incident on our public system, and it was not due to security flaws in Galaxy itself: spammers were using Galaxy's file upload features to upload inappropriate content, which we subsequently took steps to prevent.
--nate
Many thanks, Matt Goyder
- ----------------------------------------- Confidentiality Notice: The
following mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. The recipient is responsible to maintain the confidentiality of this information and to use the information only for authorized purposes. If you are not the intended recipient (or authorized to receive information for the intended recipient), you are hereby notified that any review, use, disclosure, distribution, copying, printing, or action taken in reliance on the contents of this e-mail is strictly prohibited. If you have received this communication in error, please notify us immediately by reply e-mail and destroy all copies of the original message. Thank you. *
galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev
galaxy-dev@lists.galaxyproject.org
-
Goyder, Matthew -
Nate Coraor