[R] R Software Risk Analysis

David Winsemius dw|n@em|u@ @end|ng |rom comc@@t@net
Fri Jun 19 01:45:52 CEST 2020

On 6/18/20 3:41 PM, John Harrold wrote:
> Hello Kristin,
> Are you talking about risk analysis from the perspective of software
> vulnerabilities?

It appears that is exactly what is being asked. What is not clear is 
whether the installation would be offered to persons or groups on the 
network with no other security wrappers. R has never claimed to be 
"web-safe". It offers access to system level commands and file system 
manipulation that would probably compromise security arrangements.  In 
fact, over the course of the last 12 years when I've been reading this 
mailing list, there has never been a credible suggestion to offer R 
applications to untrusted users. Quite the opposite. Naked R is surely 
not going to pass any sort threat or risk scrutiny.

My suggestion would be to investigate various wrappers for R such as 
Rstudio or the Microsoft re-worked version of what used to be Revolution 
R. They have lawyers and offer "enterprise solutions" and would 
presumably be able to speak to some sort of security analysis.  Whether 
either of those approaches would provide the level of security needed by 
a healthcare organization would be an interesting question. Perhaps yopu 
can report back after completing your investigation?



> John
> On Thu, Jun 18, 2020 at 3:21 PM Wait, Kristin <WaitK using amc.edu> wrote:
>> HI all,
>> I am with a NYS major trauma center and all programs that our
>> employees/providers use must be vetted through the IT Department by way of
>> a Risk Analysis.
>> Is there someone I would talk to about this?
>> I scoured your website and could not find a specific person.
>> Thank you so much
>> Kristin Wait
>> Albany, NY
>> ----------------------------------------- CONFIDENTIALITY NOTICE: This
>> email and any attachments may contain confidential information that is
>> protected by law and is for the sole use of the individuals or entities to
>> which it is addressed. If you are not the intended recipient, please notify
>> the sender by replying to this email and destroying all copies of the
>> communication and attachments. Further use, disclosure, copying,
>> distribution of, or reliance upon the contents of this email and
>> attachments is strictly prohibited. To contact Albany Medical Center, or
>> for a copy of our privacy practices, please visit us on the Internet at
>> www.amc.edu.
>>          [[alternative HTML version deleted]]
>> ______________________________________________
>> R-help using r-project.org mailing list -- To UNSUBSCRIBE and more, see
>> https://stat.ethz.ch/mailman/listinfo/r-help
>> PLEASE do read the posting guide
>> http://www.R-project.org/posting-guide.html
>> and provide commented, minimal, self-contained, reproducible code.

More information about the R-help mailing list