Hi
Hope you are well. I work for NHS England and I have been asked to conduct a
security review of R, I am unable to locate information around the security
posture of R. Would someone please be able to direct me to the correct page or
alternatively answer the questions below:
* When was the application last updated?
* How often is it updated?
* Are there any guidance that is followed such as OWASP Application Security
Verification Standards?
* Do you conform with a recognised security standard? (e.g., SOC1/2/3,
ISO27001)
* Do you have an Information Security Policy with supporting Standards and
Procedures? Please provide details (or provide a copy of the policy).
* Do you have formal change control and release management processes to
manage code changes? Please provide details (or provide a copy of the documented
process).
* Is the source code anywhere? If so where is and is it secure?
* Do you follow secure development processes? How is this achieved?
* Are there any common vulnerabilities?
* Is there a reporting process for reporting vulnerabilities and remediation
processes? Please provide details/a copy of the documented process
* Do you undertake audits or other reviews to ensure that security controls
are being implemented and operating effectively? How is this done? Can you
provide details of this?
* Do you undertake regular penetration testing (or similar technical
security testing, code review or vulnerability assessment); and are you able to
provide a summary of results/findings?
* Do your employees (e.g., developers or system administrators) have access
to customer data? How is this access controlled and monitored?
* Are all personnel required to sign Non-Disclosure Agreement (NDA) or
Confidentiality Agreements (CA) as a condition of employment to protect customer
information?
* Do you have Business Continuity and/or Disaster Recovery Plans? If Yes,
please provide details including backup and redundancy mechanisms.
* Is there a dedicated security team?
* Is there a contact for security issues?
* Has a vulnerability disclosure program?
* Is there a bug bounty program?
* Does R require third party authorization/connections?
Thank you
Regards
Ayesha Majid
Cyber Security Advisor | Cyber Operations
Transformation Directorate
NHS England
Mobile: 07842323170
Email: ayesha.majid at nhs.net<mailto:ayesha.majid at nhs.net>
Website: www.england.nhs.uk<http://www.england.nhs.uk/>
NHS England and NHS Digital have merged. Learn more
<https://digital.nhs.uk/about-nhs-digital/nhs-digital-merger-with-nhs-england>
Address: Head Office, 5th Floor, 7 & 8 Wellington Place, Leeds, West
Yorkshire, LS1 4AP
Pronouns: she/her
This email is intended only for use by the named addressee. It may contain
confidential and/or privileged information. If you are not the intended
recipient, you should contact us immediately and should not disclose, use or
rely on this email. We do not accept any liability arising from a third party
taking action, or refraining from taking action, on the basis of information
contained in this email. Thank you.
**************************************************************************************
******************************
This message may contain confidential information. If yo...{{dropped:22}}
? Tue, 16 May 2023 13:47:19 +0000 "MAJID, Ayesha \(NHS ENGLAND - X26\) via R-help" <r-help at r-project.org> ?????:> * When was the application last updated? > * How often is it updated?This information is publicly available at <https://developer.r-project.org/> by looking for "Release plans". You can reach this page by starting at <https://www.r-project.org/> and clicking the "Developer Pages" link. The developer pages are admittedly harder to navigate than the main website, but I think that they could answer some of your other questions too. You can also obtain this information by looking for "News" under <https://www.r-project.org/> and by checking the dates of all released versions of R at <https://cloud.r-project.org/src/base/>.> * Is the source code anywhere? If so where isYes, you can download release source code by following the "download R" link at <https://www.r-project.org/>, ending up at https://cloud.r-project.org/ (or your preferred CRAN mirror) and clicking the link for the currently-latest version, R-4.3.0.tar.gz. The link to the Subversion repository containing yet unreleased code can be located at https://developer.r-project.org/.> and is it secure?What's the threat model?> * Are there any common vulnerabilities?What would be considered a vulnerability in a piece of software that was never supposed to be a security boundary? (Will R run arbitrary code typed at its prompt? Yes, by design. Is it possible to feed maliciously-constructed data into R's unserialize() and cause arbitrary code execution this way? Probably, but typing code at the prompt is much easier. Can third-party R packages that start TCP servers be convinced to run arbitrary code on attacker's behalf? Consider that a given.)> * Do your employees (e.g., developers or system administrators) > have access to customer data?By itself, R processes any data fed into it locally, on the computer where it's running, without contacting R developers about it. The same cannot be guaranteed about third-party packages, although there are tests and reviews at both CRAN and Bioconductor in order to prevent the packages from doing anything considered "anti-social". (See <https://cran.r-project.org/web/packages/policies.html> for more information on this.) A sufficiently motivated malicious actor could circumvent them, of course, but that can be said about anything. If someone at NHS wants to use R, they will probably want to use CRAN and Bioconductor packages too. Potentially, they might need packages published elsewhere as well. All these packages will have to be reviewed separately from R, because they are maintained by different people.> * Does R require third party authorization/connections?No, but shouldn't you be more concerned with third-party software dependencies? (Did you mean to ask these questions at the public mailing list open for J. Random Hackers like me to answer?) -- Best regards, Ivan