[R] [External] Re: R Software Risk Analysis

Bert Gunter bgunter@4567 @end|ng |rom gm@||@com
Fri Jun 19 02:46:39 CEST 2020 

As others have noted, R's vulnerabilities depend on the environments in
which it is used. Perhaps the other issue is whether any downloaded R
software could be problematic, perhaps due to malware. R's core
functionality is, I'm sure fine. For the 20,000 or so packages on CRAN and
elsewhere -- ?? One would have to probaby check the security on CRAN's (or
others') servers for that. My ignorant expectation is that the most such
university associated servers are quite secure.


Bert Gunter

"The trouble with having an open mind is that people keep coming along and
sticking things into it."
-- Opus (aka Berkeley Breathed in his "Bloom County" comic strip )


On Thu, Jun 18, 2020 at 5:27 PM Richard M. Heiberger <rmh using temple.edu> wrote:

> You should start by reading
> R: Regulatory Compliance and Validation Issues: A guidance document
> for the use of R in regulated clinical trial environments.
> https://www.r-project.org/doc/R-FDA.pdf
>
> The official link to that file is at the R home page
> https://www.r-project.org/
> In the left column, click on Certification.
>
> That takes you to the page that offers the Compliance paper and a
> paper on the R Development cycle.
>
> Rich
>
> On Thu, Jun 18, 2020 at 7:46 PM David Winsemius <dwinsemius using comcast.net>
> wrote:
> >
> >
> > On 6/18/20 3:41 PM, John Harrold wrote:
> > > Hello Kristin,
> > >
> > > Are you talking about risk analysis from the perspective of software
> > > vulnerabilities?
> >
> >
> > It appears that is exactly what is being asked. What is not clear is
> > whether the installation would be offered to persons or groups on the
> > network with no other security wrappers. R has never claimed to be
> > "web-safe". It offers access to system level commands and file system
> > manipulation that would probably compromise security arrangements.  In
> > fact, over the course of the last 12 years when I've been reading this
> > mailing list, there has never been a credible suggestion to offer R
> > applications to untrusted users. Quite the opposite. Naked R is surely
> > not going to pass any sort threat or risk scrutiny.
> >
> >
> > My suggestion would be to investigate various wrappers for R such as
> > Rstudio or the Microsoft re-worked version of what used to be Revolution
> > R. They have lawyers and offer "enterprise solutions" and would
> > presumably be able to speak to some sort of security analysis.  Whether
> > either of those approaches would provide the level of security needed by
> > a healthcare organization would be an interesting question. Perhaps yopu
> > can report back after completing your investigation?
> >
> >
> > --
> >
> > David.
> >
> > >
> > > John
> > >
> > > On Thu, Jun 18, 2020 at 3:21 PM Wait, Kristin <WaitK using amc.edu> wrote:
> > >
> > >> HI all,
> > >>
> > >> I am with a NYS major trauma center and all programs that our
> > >> employees/providers use must be vetted through the IT Department by
> way of
> > >> a Risk Analysis.
> > >> Is there someone I would talk to about this?
> > >>
> > >> I scoured your website and could not find a specific person.
> > >>
> > >> Thank you so much
> > >> Kristin Wait
> > >> Albany, NY
> > >> ----------------------------------------- CONFIDENTIALITY NOTICE: This
> > >> email and any attachments may contain confidential information that is
> > >> protected by law and is for the sole use of the individuals or
> entities to
> > >> which it is addressed. If you are not the intended recipient, please
> notify
> > >> the sender by replying to this email and destroying all copies of the
> > >> communication and attachments. Further use, disclosure, copying,
> > >> distribution of, or reliance upon the contents of this email and
> > >> attachments is strictly prohibited. To contact Albany Medical Center,
> or
> > >> for a copy of our privacy practices, please visit us on the Internet
> at
> > >> www.amc.edu.
> > >>
> > >>          [[alternative HTML version deleted]]
> > >>
> > >> ______________________________________________
> > >> R-help using r-project.org mailing list -- To UNSUBSCRIBE and more, see
> > >> https://stat.ethz.ch/mailman/listinfo/r-help
> > >> PLEASE do read the posting guide
> > >> http://www.R-project.org/posting-guide.html
> > >> and provide commented, minimal, self-contained, reproducible code.
> > >>
> > >
> >
> > ______________________________________________
> > R-help using r-project.org mailing list -- To UNSUBSCRIBE and more, see
> > https://stat.ethz.ch/mailman/listinfo/r-help
> > PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> > and provide commented, minimal, self-contained, reproducible code.
>
> ______________________________________________
> R-help using r-project.org mailing list -- To UNSUBSCRIBE and more, see
> https://stat.ethz.ch/mailman/listinfo/r-help
> PLEASE do read the posting guide
> http://www.R-project.org/posting-guide.html
> and provide commented, minimal, self-contained, reproducible code.
>

	[[alternative HTML version deleted]]

More information about the R-help mailing list