Originally posted by elaney_k
View Post
Short answer: Security is a complex issue and there are no simple short answers other than from marketing droids...
Longer answer: There are at least three security issues to think about - the front end web server, traffic to and from the application and Galaxy itself.
The public Galaxy server uses http - I would not consider that secure although (see below) once data is uploaded and assuming the user has set restrictive permissions, it's secured from access by other, unauthorized Galaxy users (unless they packet sniffed your password!)
If we're talking about a private deployment of a Galaxy instance competently configured and locked down behind a secure https web server, then unauthorized Galaxy access is going to be really hard to get for starters.
Once someone gains access to Galaxy itself, the application has inbuilt RBAC so an individual dataset can be locked down to a user or group of users easily and flexibly. Permissions on a dataset propagate to derived datasets as the default. Finally, the developers have always taken security very seriously and the code protects against all the commonest web security threats that we know about - like session key hashed url paths eg
Galaxy source has never been formally audited for security - but at least you can take a look for yourself to see what weaknesses there might be. Please let us know if you do manage to find anything we need to know about!
Leave a comment: