Hi folks, I work in Security for my company and a user has requested approval to use Jupyter Notebooks. My job is to assess whether it poses a risk to my company in any way. A big part of that is assessing the nature of the app/service - is it installed on a computer or completely web-based? Despite scanning websites for almost 2 hours I am not clear on this - Jupyter seems to be either something you install or something you can just log into via web browser and get to coding.
Regardless of whether it is installed or used in a web browser, is any part of user input stored on any cloud-based servers anywhere? Are there any other inherent risks I should know about (e.g. XSS attacks)? He is specifically interested in Jupyter Notebooks.
Associate II | Governance Risk & Compliance | IT Security | CAPTRUST
Short answer: it’s a web application that can be installed and run locally. Users access it through a web browser on
http://localhost:<PORT>, everything is stored on the local drive.
Jupyter Notebook (older) and JupyterLab (newer, recommended) can both be installed and run locally, completely offline if you want. Your can think of it as an IDE where you can write and execute code. There are lots of official and third party extensions, if you install those you’ll have to review them separately.
Since they’re web-apps they’re often installed and accessed remotely for convenience. For example to provide an environment that continues to run when a user’s computer is shutdown, to provide more computational resources such as multiple GPUs, specialist applications/libraries that are difficult to install locally, or simply to avoid the hassle of installing things on personal laptops. This is all entirely optional though.
Right on, thank you for the info!
Is there any version of JupyterLab that is available as a service that you can just navigate to (a URL) and start using with no installation? That’s what I thought this is: JupyterLite Retro - Tree
Yes, JupyterLite is designed to run entirely in a web browser. It’s hosted remotely and it runs locally.
There are also hosted versions of JupyterLab that you can use with no software installation, including Amazon SageMaker Studio and Amazon SageMaker Studio Lab. The former is a paid service and the latter is freely available. (Disclosure: I work for AWS, but this post doesn’t represent the opinions of AWS.)
Thanks Jweill. If one uses JupyterLite or either of the SageMaker options, is any part of user input stored on any cloud-based servers? Are there any other inherent risks I should know about (e.g. XSS attacks)? If there is documentation about either or both I would very much like to go over it.
@dalewb JupyterLite is a static deployment; all the files you save as a user are saved in your browser’s local storage. See more information in the JupyterLite docs: Using an existing JupyterLite deployment — JupyterLite 0.1.0 documentation .
When you use SageMaker Studio and SageMaker Studio Lab, your files are stored in Amazon-managed storage. Studio Lab includes 15 GB of free long-term storage, managed by Amazon. SageMaker Studio Notebooks offers persistent storage on Amazon-managed systems: you can find details on the Amazon SageMaker Pricing page.