Globus Online Security Review

This page serves to provide pointers to the latest version of my security assessment of the Globus Online File Transfer and related services and any updates to that assessment.

The latest version of this document is dated February 3rd 2012 and is available from IU ScholarWORKS: http://hdl.handle.net/2022/14147. Please cite as: “Von Welch. Globus Online Security Review. Indiana University ScholarWORKS. February 3, 2012.
http://hdl.handle.net/2022/14147"

Summary

The review is based on a description, provided by the Globus Project, of the architecture and deployment of the services. The description was provided in the form of written documentation, email communications and a roughly three-hour in-person meeting. This document is written from the point of view of users of the services and operators of data storage services accessed by the services on behalf of their users. It is most accurately described as an architectural security review.

A casual exploration of the services as a user was undertaken, but was not a significant activity in regards to the authoring of the report.

This review is provided as best effort for the benefit of the community. It is provided “as-is” with no warranty expressed or implied. All opinions are those of the author and should not be taken to reflect opinions of any other entity.

This review did not, among other things:

  • Ensure that the implementation and deployment of the services matched the descriptions given by the Globus Project.
  • Evaluate source code for bugs (unsafe coding practices).
  • Review the software development, distribution and upgrade process for potential risks.
  • Undertake any sort of penetration or other active testing.
  • Undertake any review or assessment of software packages, frameworks, operating systems, etc. utilized by the services.
  • Consider availability (e.g. resilience to denial of service attacks or non-malicious faults).
  • Perform any sort of rigorous cryptographic analysis (e.g. of the web cookie signing).
  • Determine if the system satisfies the concerns of any entity (e.g. XSEDE).

Comments