Von Welch

Andrew Adams, Kay Avila, Jim Basney et al.

This article describes experiences and lessons learned from the Trusted CI project, funded by the US National Science Foundation to serve the community as the NSF Cybersecurity Center of Excellence. Trusted CI is an effort to address cybersecurity for the open science community through a single organization that provides leadership, training, consulting, and knowledge to that community. The article describes the experiences and lessons learned of Trusted CI regarding both cybersecurity for open science and managing the process of providing centralized services to a broad and diverse community.

Craig A. Stewart, Julie Wernert, Eric A. Wernert et al.

We present a set of common themes and recommendations extracted from in depth interviews with the leaders of 12 distinct cyberinfrastructure software projects. These interviews were conducted as part of a larger study to identify and elucidate the best practices and management models that lead to sustainability for cyberinfrastructure software. Respondents in a formal survey of cyberinfrastructure users identified these projects as good examples of sustained software initiatives. While there is clearly no single method or plan that will guarantee sustainability for all projects, we can draw general guidance from these exemplars. This paper presents the common themes, ideas, and recommendations that emerged from those interviews.

Randy Heiland, Betsy Thomas, Von Welch et al.

In its Vision and Strategy for Software for Science, Engineering, and Education the NSF states that it will invest in activities that: "Recognize that software strategies must include the secure and reliable deployment and operation of services, for example by campuses or national facilities or industry, where identity, authentication, authorization and assurance are crucial operational capabilities." and "Result in high-quality, usable, secure, vulnerability-free, sustainable, robust, well-tested, and maintainable/evolvable software; and which promotes the sustainability of solid and useful on-going investments." Such statements evidence that security should indeed be a first-class consideration of the software ecosystem. In this position paper, we share some thoughts related to research software security. Our thoughts are based on the observation that security is not a binary, all-or-nothing attribute, but a range of practices and requirements depending on how the software is expected to be deployed and used. We propose that the community leverage the concept of a maturity model, and work to agree on a research software security maturity model. This model would categorize different sets of security needs of the deployment community, and provide software developers a roadmap for advancing the security maturity of their software. The intent of this paper is not to express such a comprehensive maturity model, but instead to start a conversation and set some initial requirements.