CICI:UCSS:Securing an Open and Trustworthy Ecosystem for Research Infrastructure and Applications (SOTERIA)

Managing a secure software environment is essential to a trustworthy cyberinfrastructure. Software supply chain attacks may be a top concern for IT departments, but they are also an aspect of scientific computing. The threat to scientific reputation caused by problematic software can be just as dangerous as an environment contaminated with malware. The issue of

managing environments affects any individual researcher performing computational research but is more acute for multi-institution scientific collaborations as they often preside over complex software stacks and must manage software environments across many distributed computing resources. Increasingly, these collaborations and individual investigators have turned to Linux

container images (packing application software, operating system and other needed libraries into one entity) for their platform portability and scientific reproducibility advantages. However, in doing so new software sources from both public and private repositories are introduced into the supply chain, thus bringing new risks. The Securing an Open and Trustworthy Ecosystem for

Research Infrastructure and Applications (SOTERIA) project is an element within NSF's fabric of coordinated Cyberinfrastructure that helps collaborations avoid security pitfalls while reducing the burden of scientific software management. SOTERIA aims to provide researchers with improved discoverability, visibility, and traceability of their software environments.

SOTERIA operates a container registry for open science. The registry has been customized to meet the unique needs of the scientific environment, including associating the researcher’s identity with container images, providing image security scanning and introspection (visibility), and integration with other digital object identification and archiving services. SOTERIA also

operates a container distribution service with tools to trace image provenance through the ecosystem. Finally, as the challenge of managing secure software environments goes far beyond container security, SOTERIA provides training and education on best practices tailored to researchers.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.