Managing a software project the dos and donts SI2 PI Meeting - - PowerPoint PPT Presentation

managing a software project the dos and don ts
SMART_READER_LITE
LIVE PREVIEW

Managing a software project the dos and donts SI2 PI Meeting - - PowerPoint PPT Presentation

Jan 27, 2024 166 likes •268 views

Managing a software project the dos and donts SI2 PI Meeting January 18, 2012 Von Welch Director and PI CTSC trustedci.org 1 Center for Trustworthy Scientific Cyberinfrastructure (CTSC) Jim Basney, Randal Butler, Scott Koranda, Jim

slide-1
SLIDE 1

trustedci.org 1

Managing a software project— the dos and don’ts

SI2 PI Meeting January 18, 2012

Von Welch

Director and PI CTSC

slide-2
SLIDE 2

trustedci.org 2

Center for Trustworthy Scientific Cyberinfrastructure (CTSC)

Jim Basney, Randal Butler, Scott Koranda, Jim Marsteller, Bart Miller, Von Welch We don’t make the software, we help make it more secure (so you can focus on what you do best). Lots of software development (MyProxy, CILogon, GridShib, COmanage), testing (FPVA), and operating (XSEDE, OSG, LIGO, NCSA, PSC) experience.

slide-3
SLIDE 3

trustedci.org 3

CTSC trustedci.org

We engage with projects, and develop training to solve security challenges and we want to help your project. Let us know your needs: trustedci.org/sw-survey/ Or Email me (vwelch@indiana.edu)

slide-4
SLIDE 4

trustedci.org 4

To Phil’s charge…

What are the security do’s and don’t for vulnerability handling for release, support and testing? Considering software of maturity to be used in production science project or facility such as OSG, XSEDE, LIGO, IU, NCSA, etc.

This is in a range of maturity, which is separate discussion.

slide-5
SLIDE 5

trustedci.org 5

Vulnerabilities

Like the common cold, we’d love to eliminate vulnerabilities, but today everybody gets them. It’s how you handle them that is important to people trusting your software. A timely, predictable process is the key.

slide-6
SLIDE 6

trustedci.org 6

Support

Do know what versions you support, be clear about that. Do have a clear process for reporting vulnerabilities.

E.g. http://grid.ncsa.illinois.edu/myproxy/security/#vh

Do have a internal process for handling vulnerabilities.

Who is in charge, sets priority, etc.

Do know what software you depend on and monitor them for vulnerabilities – you own those as well for your users.

slide-7
SLIDE 7

trustedci.org 7

Release

Do produce a clean fix.

I.e. a new release with just the security fix and nothing else.

User want a quick, painless installation, testing as little as possible.

Do plan your communications

Don’t surprise your user community with a security fix. A private channel to key users is good. A dedicated, low-volume channel for announcing is good.

slide-8
SLIDE 8

trustedci.org 8

Testing

Do test security releases.

Ability to quickly test is key to quick security releases. Automated testing helpful, e.g. B&T

Software assurance (testing code security) from the start is good.

The earlier, the easier. Automated help coming in 2014, SWAMP (http://www.cosalab.org/)

slide-9
SLIDE 9

trustedci.org 9

Thank you

Von Welch vwelch@indiana.edu www.trustedci.org blog.trustedci.org twitter.com/TrustedCI

We thank the National Science Foundation (grant 1234408) for supporting our work. The views and conclusions contained herein are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the NSF.