Community Call — "Security for R" — Create Your Own Security Adventure

security
Tags: #<Tag:0x00007f7edfea64f0>

#1

Hey folks,

The esteemed Ildi Czeller & I are slated for a community call in May (2019-05-07 1100 PDT) on “security”. The fist half will be Ildi showing off her AMAZING work on the ropsec package (she’s been an unstoppable force on it). The other half of the topic is currently a big amorphous blob (obviously my half, to wit you’re likely saying to yourselves “What was Stef thinking??!”).

I can literally talk for 12 hours straight on security topics, but we only have like 20m for my part tho.

So I either talk super fast and cram 12 hrs into 20m OR…what do you want to know about. What should I blather on and on and on and on about?

Given the forum it should be #rstats-related, but apart from that I’m open to anything.

I’ll give this topic a bump up in April and then right before the call.

Peace out…

@hrbrmstr


#2

I was hoping for was something like “How and in what contexts should I use packages such as secret, keyring, sodium, and cyphr?” For instance, I use sodium and cyphr to encrypt a token file for use in a CI pipeline to upload results to Dropbox, with the key saved in base64 as an environment variable. It seems to work, but I’m not sure if this one-key approach is best practice for something like this. A mapping of various packages to use-cases would be helpful.


#3

Thanks Bob for opening up this forum!

I would be interested in your advice as to what security practices (in R) I should be teaching & modelling in my classroom.

I, and I think many others, have two common reactions to teaching (& practicing) security: (1) better not say anything, because I’m not a professional in this area, and (2) whatever “best practices” are sounds like a way too high bar which I’ll probably mess up, and I’ll (a) lock myself out of stuff, (b) mess up something so it’s not really secure anyway, and © it’ll be too cumbersome to use (at least in classroom).

I recognize that’s probably not a helpful attitude to have, but I honestly don’t know where to start. Should I teach students to use the new credentials package? Should I mention 2FA when I talk about GitHub? Should I comment on the use of SSH vs HTTPS? Should I say anything about encryption with regards to private data, or PL1-sensitive data? How do I do better than my current ostrich approach without sticking my foot in my mouth?


#4

Would love to hear thoughts on package management and the security of the supply chain. What kind of setup would you advise for a security-conscious enterprise that also wants to maintain a fair amount of analyst flexibility? What lessons can we learn from other languages about trying to make it easier to secure the ecosystem?