April 12, 2007 | In the past two decades, connectivity to networked resources has transformed the way that businesses and retailers operate. As in the business world, the bioinformatics arena is reveling in electronic data exchange. PubMed boasts more than 16 million biomedical abstracts, and GenBank houses more than 61 million biological sequences.
In addition to networked data repositories, there are a plethora of web applications (e.g. BLAST search tool), and applications for calculating everything from amino-acid ionization states (e.g. H++) to identifying protein domains (e.g. SMART). The Web helps disseminate bioinformatics software, much of it open source, through sites such as Bioinformatics.org and SourceForge.
The prevalence of distribution of scientific data and tools is invaluable to researchers, but despite their vulnerability to the same potential threats that plague their commercial counterparts, security is rarely discussed in the bioinformatics community.
Should developers or distributors of bioinformatics applications be required to make security considerations an essential element of their development or hosting process? While there have been no reports of widespread abuse of scientific computing resources to date, the potential for such abuses do exist.
Threat Assessment
The strict integration of security within bioinformatics application development (including hosted databases) complicates the process, adding time to development and potentially its availability (in extreme cases security concerns can halt release). Moreover, accessing certain data sets or interacting with certain utilities may be complicated to ensure that security measures are properly met. On the user end, time and effort must be spent to evaluate the safety of utilizing a utility rather than just implicitly trusting the utility. These security considerations can interfere with or compete with scientific research for available resources. But what could happen if security measures are not tightly integrated into our application development efforts and usage?
A major threat for Web databases and applications is Denial of Service (DoS) attacks, which render networked resources unavailable to users. Such attacks could seriously hamper research efforts, particularly as many bioinformatics utilities use Web services or API to access content, and a failure to retrieve such content could interfere with an entire application pipeline.
While DoS attacks are not uncommon, scientific databases are subject to more insidious attacks such as submission of, or change of a record to faulty information (Web database) or the malicious return of faulty results (Web application). The hidden presence of faulty records can waste both time and money, while a Web application security breach could hinder research. When dealing with medical applications, the stakes could be even higher.
Furthermore, pharming scams could be applied to hosted bioinformatics databases and applications, where detailed logging of user requests and data submissions could potentially be used as a form of industrial espionage. By closely monitoring submitted data and requests along with IP addresses, it could be possible to gain insights into the research activities of other laboratories.
Web-based hosting and distribution of source code and executables introduces important security considerations, including the possibility that an application may be used as a Trojan horse, a malicious purpose concealed behind some seemingly useful functionality. This malicious functionality could damage files or applications or be used for espionage by sending data located on the computer or entered into the application to a remote site.
Here the open source nature of much bioinformatics application development offers both advantages and disadvantages. The ability for anyone to read the code associated with the application can make such breaches easier to spot, but the community-based approach to development can also facilitate such breaches into the application source, since a security flaw could be added by the incorporation of a submitted patch or enhancement.
Potential security breaches introduced by application installation need not be malicious; numerous applications have been released that contained inadvertent security exploits, such as buffer overflows. Thus bioinformatics applications could introduce similar security vulnerabilities, particularly when developers do not take the possibility into consideration. Users of bioinformatics software should evaluate any downloaded application for security exploits, intentional or not, before use.
I would like to see the bioinformatics community establish a set of security-related guidelines for bioinformatics practitioners and software developers now, before such exploits become commonplace.
Such guidelines need not be drastically different from general information security recommendations. The key would be to find the proper balance between time and resources spent implementing security and that spent advancing the scientific body of knowledge.
Christopher Frenz is at the Dept. Computer Engineering Technology, New York City College of Technology, Brooklyn, New York. Email: cfrenz@gmail.com.
Subscribe to Bio-IT World magazine.