Security Audit of Jupyter Notebook

community
#1

A lot of places use Jupyter Notebook (and JupyterHub) to work with private data where security compromises would have serious implications. We have a pretty good track record with security (:heart::heart::heart: to everyone reporting and fixing security issues), but it would be great if we can get a formal, external security audit from a firm specializing in this. This increases notebook security, and acts as a strong signal to many organizations.

This requires funding, and someone to see it through. So,

  1. How do we find the money for it?
  2. Who can manage the process? This involves finding a security audit firm, negotiating with them, and seeing it through.

What do you all think?

2 Likes
#2

It sounds excellent!

We would need to provide a good scope for requested security audit. You wrote Jupyter Notebook but I started thinking about kernel network communication, jupyterhub, singleuser servers running jupyter notebook or jupyter lab, etc.

Did you have a specific scope for the audit in mind?

#3

Jupyter is currently provided as a service by most if not all the major cloud providers and also used in multiple large organizations that have easy access to resources that can perform this security audit/threat analysis/penetration tests. Jupyter.org should partner with some of those, which will be beneficial for all involved parties.

Another option might be sponsoring some kind of bug bounty programs around security related bugs.

2 Likes
#4

I could ask if our AppSec team has available resources.

#5

I like @lresende’s suggestion. This is a great opportunity for contributions that aren’t code and don’t require a long term commitment. Having the work done as a contribution to the project like all the other professionals who donate their time (aka AppSec team from 1und1 (I think that is who @jhermann works for)) would also be great.