I've been asked to approve installation of Chimera in one of our labs, and I was hoping that you might have documentation on your development processes and policies such that I can feel comfortable installing your app in our environment. I have searched but not found documentation related to OWASP or other dev standards, or any assessments that may have been run. Would you have information available? Thank you in advance, Mike Hart | Chief Information Security Officer (CISO) Metropolitan State University of Denver Information Technology Services Campus Box 96, P.O. Box 173362, Denver, CO 80217-3362 Admin Building - 1201 5th Street 480M Denver, CO 80204 303-615-0541 (Office) 303-352-7548 (Help Desk) mhart20@msudenver.edu<mailto:mhart20@msudenver.edu> | www.msudenver.edu/technology<http://www.msudenver.edu/technology> [cid:image001.jpg@01D8E848.158CADA0]
Hi Mike, We encourage all labs to use ChimeraX which is the successor to the Chimera program. Chimera is only receiving critical maintenance while ChimeraX 1.0 came out 2 years ago, now at version 1.4, and is actively developed. We are the academic lab at UCSF that develops Chimera and ChimeraX. We don't have formal development security reviews. Our source code is under version control and only modified by the core developers at UCSF. The software does not listen on ports and uses only web services that we host at UCSF. This is research software that can be used to run Python analysis scripts. Since Python is a general purpose language it can do anything on the computer that user privileges allow. The researcher writes those scripts or obtains them from other researchers and is responsible for assuring they do nothing malicious. Here is the Chimera developer web site https://www.rbvi.ucsf.edu/trac/chimera/wiki <https://www.rbvi.ucsf.edu/trac/chimera/wiki> Here is the ChimeraX github repository and developer site https://github.com/RBVI/ChimeraX <https://github.com/RBVI/ChimeraX> https://www.rbvi.ucsf.edu/trac/ChimeraX/wiki <https://www.rbvi.ucsf.edu/trac/ChimeraX/wiki> Tom Goddard ChimeraX and Chimera developer
On Oct 25, 2022, at 7:02 AM, Hart, Michael via Chimera-dev <chimera-dev@cgl.ucsf.edu> wrote:
I’ve been asked to approve installation of Chimera in one of our labs, and I was hoping that you might have documentation on your development processes and policies such that I can feel comfortable installing your app in our environment. I have searched but not found documentation related to OWASP or other dev standards, or any assessments that may have been run. Would you have information available?
Thank you in advance,
Mike Hart | Chief Information Security Officer (CISO) Metropolitan State University of Denver Information Technology Services Campus Box 96, P.O. Box 173362, Denver, CO 80217-3362 Admin Building - 1201 5th Street 480M Denver, CO 80204 303-615-0541 (Office) 303-352-7548 (Help Desk) mhart20@msudenver.edu <mailto:mhart20@msudenver.edu> | www.msudenver.edu/technology <http://www.msudenver.edu/technology> <image001.jpg>
_______________________________________________ Chimera-dev mailing list Chimera-dev@cgl.ucsf.edu <mailto:Chimera-dev@cgl.ucsf.edu> https://www.rbvi.ucsf.edu/mailman/listinfo/chimera-dev <https://www.rbvi.ucsf.edu/mailman/listinfo/chimera-dev>
And the web sites that we host, and the computers that host them, are regularly scanned by the university for vulnerabilities. And even though we are an academic lab, since the university has a medical school with HIPPA information, it seems like we are subjected to an extra level of paranoia. But maybe that is the new normal. -- Greg On 10/25/2022 10:26 AM, Tom Goddard via Chimera-dev wrote:
Hi Mike,
We encourage all labs to use ChimeraX which is the successor to the Chimera program. Chimera is only receiving critical maintenance while ChimeraX 1.0 came out 2 years ago, now at version 1.4, and is actively developed.
We are the academic lab at UCSF that develops Chimera and ChimeraX. We don't have formal development security reviews. Our source code is under version control and only modified by the core developers at UCSF. The software does not listen on ports and uses only web services that we host at UCSF. This is research software that can be used to run Python analysis scripts. Since Python is a general purpose language it can do anything on the computer that user privileges allow. The researcher writes those scripts or obtains them from other researchers and is responsible for assuring they do nothing malicious. Here is the Chimera developer web site
https://www.rbvi.ucsf.edu/trac/chimera/wiki
Here is the ChimeraX github repository and developer site
https://github.com/RBVI/ChimeraX
https://www.rbvi.ucsf.edu/trac/ChimeraX/wiki
Tom Goddard ChimeraX and Chimera developer
On Oct 25, 2022, at 7:02 AM, Hart, Michael via Chimera-dev <chimera-dev@cgl.ucsf.edu> wrote:
I’ve been asked to approve installation of Chimera in one of our labs, and I was hoping that you might have documentation on your development processes and policies such that I can feel comfortable installing your app in our environment. I have searched but not found documentation related to OWASP or other dev standards, or any assessments that may have been run. Would you have information available? Thank you in advance, *Mike Hart | Chief Information Security Officer (CISO)* *Metropolitan State University of Denver Information Technology Services* Campus Box 96, P.O. Box 173362, Denver, CO 80217-3362 Admin Building - 1201 5^th Street 480M Denver, CO 80204 303-615-0541 (Office) 303-352-7548 (Help Desk) mhart20@msudenver.edu <mailto:mhart20@msudenver.edu> | www.msudenver.edu/technology <http://www.msudenver.edu/technology> <image001.jpg> _______________________________________________ Chimera-dev mailing list Chimera-dev@cgl.ucsf.edu https://www.rbvi.ucsf.edu/mailman/listinfo/chimera-dev
_______________________________________________ Chimera-dev mailing list Chimera-dev@cgl.ucsf.edu https://www.rbvi.ucsf.edu/mailman/listinfo/chimera-dev
participants (3)
-
Greg Couch -
Hart, Michael -
Tom Goddard