<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:29:11 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3582] Security checks, reviews, and fitness functions</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3582</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;h2&gt;&lt;a name=&quot;Overview&quot;&gt;&lt;/a&gt;Overview&lt;/h2&gt;

&lt;p&gt;As the FOLIO project grows in size and is adopted by more libraries, it&apos;s more important than ever to be diligent about our security hygiene. In order for us to patch security vulnerabilities, we first need to find/identify them. Projects like OWASP (see below) provide a wide array of tools, standards, etc.. This purpose of this epic is to review, investigate, and leverage these resources to help give the project better visibility into potential risks and vulnerabilities FOLIO may be susceptible to or affected by.&lt;/p&gt;

&lt;p&gt;What is OWASP? From &lt;a href=&quot;https://https//owasp.org/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;owasp.org&lt;/a&gt;:&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;The Open Web Application Security Project&#174; (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.&lt;/p&gt;&lt;/blockquote&gt;

&lt;ul&gt;
	&lt;li&gt;Tools and Resources&lt;/li&gt;
	&lt;li&gt;Community and Networking&lt;/li&gt;
	&lt;li&gt;Education &amp;amp; Training&lt;/li&gt;
&lt;/ul&gt;


&lt;h2&gt;&lt;a name=&quot;Scope&quot;&gt;&lt;/a&gt;Scope&lt;/h2&gt;

&lt;ul&gt;
	&lt;li&gt;Periodic one-time scans using tools like ZAP&lt;/li&gt;
	&lt;li&gt;Ongoing/Continuous scanning of dependencies using tools like Snyk&lt;/li&gt;
	&lt;li&gt;Incorporate additional security checks into existing or new CI/CD automation&lt;/li&gt;
	&lt;li&gt;Review of standards and the projects current processes to identify GAPs&lt;/li&gt;
	&lt;li&gt;Development of fitness functions which leverage tools/standards/etc. from OWASP. These could be run on demand or on a regular basis&lt;/li&gt;
	&lt;li&gt;Notification/alerting the FOLIO Security Team when risks are identified&lt;/li&gt;
&lt;/ul&gt;


&lt;h2&gt;&lt;a name=&quot;Links&quot;&gt;&lt;/a&gt;Links&lt;/h2&gt;

&lt;p&gt;This is not an exhaustive list, but may be a good place to start.&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;a href=&quot;https://owasp.org/www-project-top-ten/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;OWASP Top Ten&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://owasp.org/www-project-zap/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;OWASP Zed Attack Proxy (ZAP)&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://owasp.org/www-project-application-security-verification-standard/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;OWASP Application Security Verification Standard (ASVS)&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://owasp.org/www-project-samm/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;OWASP Software Assurance Maturity Model (SAMM)&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://owasp.org/www-project-web-security-testing-guide/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;OWASP Web Security Testing Guide&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;Snyk: &lt;a href=&quot;https://snyk.io/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://snyk.io/&lt;/a&gt; , &lt;a href=&quot;https://docs.snyk.io/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://docs.snyk.io/&lt;/a&gt; , &lt;a href=&quot;https://folio-org.atlassian.net/wiki/display/SEC/Snyk&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/wiki/display/SEC/Snyk&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="79765">FOLIO-3582</key>
            <summary>Security checks, reviews, and fitness functions</summary>
                <type id="10000" iconUrl="https://folio-org.atlassian.net/images/icons/issuetypes/epic.svg">Epic</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="1" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/open.png" description="The issue is open and ready for the assignee to start work on it.">Open</status>
                    <statusCategory id="2" key="new" colorName="blue-gray"/>
                                    <resolution id="-1">Unresolved</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="5cf6c546b87c300f36eb7b9a">Craig McNally</reporter>
                                    <labels>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Fri, 16 Sep 2022 13:06:24 +0000</created>
                <updated>Thu, 30 Nov 2023 16:41:28 +0000</updated>
                                                                                <due></due>
                            <votes>0</votes>
                                    <watches>2</watches>
                                                                        <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10168"><![CDATA[None]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10013" key="com.pyxis.greenhopper.jira:gh-epic-color">
                        <customfieldname>Epic Color</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>ghx-label-11</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10011" key="com.pyxis.greenhopper.jira:gh-epic-label">
                        <customfieldname>Epic Name</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Security Tools and Architecture</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10012" key="com.pyxis.greenhopper.jira:gh-epic-status">
                        <customfieldname>Epic Status</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10016"><![CDATA[To Do]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                <customfield id="customfield_10017" key="com.pyxis.greenhopper.jira:jsw-issue-color">
                        <customfieldname>Issue color</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>teal</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i05fbk:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                </customfields>
    </item>
</channel>
</rss>