1

I made a shinyApp for pseudonymization of patient data which we want to use in our clinic. In order to prevent the app being hacked and to ensure that the code will always run in the future we want to use it locally, i.e. R would be blocked by the firewall and we would use the app offline.

Now a coworker responsible for security asks how R gets its security updates if it is offline. I have no idea what to say. The easiest answer is that in this constellation R obviously can not get any kind updates. But I wonder whether there security updates for R at all. Do the regular R and/or RStudio updates include security fixes?

ismirsehregal
  • 30,045
  • 5
  • 31
  • 78
LulY
  • 976
  • 1
  • 9
  • 24
  • a small blog related to this topic: https://support.rstudio.com/hc/en-us/articles/360042593974-R-and-R-Package-Security – Mike Apr 28 '22 at 17:47
  • @Mike My colleague in charge of security did not like that at all. In exaggerated terms one can say that R can't be used in professional context because of the lack of any security methods there is always a risk. And the question is: Who is responsible for the risk? It's not R and I don't want to be the one either. We are handling clinical data which is really sensitive stuff. That is really a big point against R. – LulY Apr 29 '22 at 16:19
  • its an interesting point for sure and I am not a security expert by any means so I am out of my depth here. but if the app is offline and only stored locally how would anyone else access the data? is this assuming a nefarious package can still access data your data without your permission/ – Mike Apr 29 '22 at 17:19
  • 1
    @Mike an idea: R itself will be offline but it will be installed on computers with access to the internet. I can imagine that this is already of some risk in case someone hacks the computer and goes to the R files (which are maybe vulnerable because R has no security measures). – LulY Apr 29 '22 at 17:34
  • You can use security scanners like [trivy](https://github.com/aquasecurity/trivy) or [ZAP](https://www.zaproxy.org/) (for shiny or web apps in general) to check R and its software dependencies for known vulnerabilities. – ismirsehregal Jul 12 '22 at 10:20

0 Answers0