Overview
As the FOLIO project grows in size and is adopted by more libraries, it's more important than ever to be diligent about our security hygiene. In order for us to patch security vulnerabilities, we first need to find/identify them. Projects like OWASP (see below) provide a wide array of tools, standards, etc.. This purpose of this epic is to review, investigate, and leverage these resources to help give the project better visibility into potential risks and vulnerabilities FOLIO may be susceptible to or affected by.
What is OWASP? From owasp.org:
The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
- Tools and Resources
- Community and Networking
- Education & Training
Scope
- Periodic one-time scans using tools like ZAP
- Ongoing/Continuous scanning of dependencies using tools like Snyk
- Incorporate additional security checks into existing or new CI/CD automation
- Review of standards and the projects current processes to identify GAPs
- Development of fitness functions which leverage tools/standards/etc. from OWASP. These could be run on demand or on a regular basis
- Notification/alerting the FOLIO Security Team when risks are identified
Links
This is not an exhaustive list, but may be a good place to start.
|