[FOLIO-3582] Security checks, reviews, and fitness functions Created: 16/Sep/22  Updated: 30/Nov/23

Status: Open
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Epic Priority: P3
Reporter: Craig McNally Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Epic Name: Security Tools and Architecture
Sprint:
Development Team: None

 Description   

Overview

As the FOLIO project grows in size and is adopted by more libraries, it's more important than ever to be diligent about our security hygiene. In order for us to patch security vulnerabilities, we first need to find/identify them. Projects like OWASP (see below) provide a wide array of tools, standards, etc.. This purpose of this epic is to review, investigate, and leverage these resources to help give the project better visibility into potential risks and vulnerabilities FOLIO may be susceptible to or affected by.

What is OWASP? From owasp.org:

The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.

  • Tools and Resources
  • Community and Networking
  • Education & Training

Scope

  • Periodic one-time scans using tools like ZAP
  • Ongoing/Continuous scanning of dependencies using tools like Snyk
  • Incorporate additional security checks into existing or new CI/CD automation
  • Review of standards and the projects current processes to identify GAPs
  • Development of fitness functions which leverage tools/standards/etc. from OWASP. These could be run on demand or on a regular basis
  • Notification/alerting the FOLIO Security Team when risks are identified

Links

This is not an exhaustive list, but may be a good place to start.


Generated at Thu Feb 08 23:29:11 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.