JIRA Issue

[#XCI-669] Readiness assessment for security vulnerability scanning service

[XCI-669] Readiness assessment for security vulnerability scanning service Created: 10/24/2019  Updated: 03/02/2022

Status: In Progress
Project: XSEDE Cyberinfrastructure Integration
Component/s: None
Fix Version/s: PY11 (Sep '21 - Aug '22)

Type: XCI Evaluation Priority: Normal
Reporter: Lee Liming Assignee: Derek Simmel
Resolution: Unresolved Votes: 0

XSEDE Priority: 4.0 UREP
XSEDE Areas:
RACD Integration Services
Use Case Priority: Medium
Public activity link: https://software.xsede.org/display/xci-669
Devel Repository:
Use Cases:
SPI-09: Test a system for vulnerabilities using an automated service
Effort and Costs:
Staff Name (Lastname, Firstname) Effort (person weeks) Roles or Contributions
Simmel, Derek 1 Coordinate and contribute to deliverables (required)
TBD security engineer(s) 1 Help identity and evaluate potential scanning services, and draft XSEDE documentation referencing recommended scanning services (required )
SP and XSEDE cybersecurity experts 0.2 Provide input on potential scanning services
SP and XSEDE cybersecurity experts 0.4 Review draft recommended services documentation (this is considered documentation testing)
Due by Activity Deliverable
DSR Design Document* (summary of identified scanning services, evaluation notes, and whether each is recommended for specific scanning purposes)
TRR Service Provider documentation referencing recommended services with their purpose
Deployment Documentation published* (Shava)
Deployment Appropriate groups notified of the new documentation (Shava)
  • Click on "Deliverables" tab for URL.

DSR by end of March 2022.
Deliverables done by end of April 2022.

Track status in meeting: yes
Lead Tester: Shava Smallen Shava Smallen


Use case SPI-09 describes service providers (XSEDE-affiliated SPs and campus service providers) accessing an automated service and performing a scan of their system for common security vulnerabilities. We need to know the current availability of such services and whether any of them might be suitable for use in XSEDE as described in this use case.

Two possible sub-tasks:

  1. Work with a group of experts to define useful sets of vulnerabilities that a service might scan for, so we can use them in a checklist when evaluating candidate services. In other words, what types of scans would be most useful? Note that the "experts" could be seasoned security professionals (e.g., XSEDE cybersecurity team, TrustedCI, ResearchSOC) or seasoned service providers (e.g., XSEDE SPs) or a combination.
  2. Identify and evaluate specific candidate services, producing an evaluation report.


There are comments for XCI-669 that can be viewed with XSEDE authentication.