<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:29:12 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3583] OWASP Zed Attack Proxy (ZAP)</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3583</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;h2&gt;&lt;a name=&quot;Overview&quot;&gt;&lt;/a&gt;Overview&lt;/h2&gt;

&lt;p&gt;The purpose of this feature is to utilize the OWASP ZAP project to identify potential security risks/vulnerabilities.&lt;/p&gt;

&lt;p&gt;NOTE: the FOLIO project has run ZAP scans in the past, but it&apos;s been a long time. There&apos;s also the feeling that we can get more out of this tool with some effort.&lt;/p&gt;
&lt;h2&gt;&lt;a name=&quot;WhatisZAP%3F&quot;&gt;&lt;/a&gt;What is ZAP?&lt;/h2&gt;

&lt;p&gt;From &lt;a href=&quot;https://www.zaproxy.org/getting-started/:&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://www.zaproxy.org/getting-started/:&lt;/a&gt;&lt;/p&gt;
&lt;blockquote&gt;&lt;p&gt;Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.&lt;/p&gt;

&lt;p&gt;At its core, ZAP is what is known as a &#8220;man-in-the-middle proxy.&#8221; It stands between the tester&#8217;s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination. It can be used as a stand-alone application, and as a daemon process.&lt;/p&gt;&lt;/blockquote&gt;
&lt;h2&gt;&lt;a name=&quot;Scope&quot;&gt;&lt;/a&gt;Scope&lt;/h2&gt;
&lt;ul&gt;
	&lt;li&gt;Investigate, learn, and document ZAP.
	&lt;ul&gt;
		&lt;li&gt;What knobs can be adjusted to better suite our needs?&lt;/li&gt;
		&lt;li&gt;Can ZAPs extensibility be leveraged for higher quality, more complete scans?&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
	&lt;li&gt;Design and implement processes and/or automation to periodically run ZAP scans.
	&lt;ul&gt;
		&lt;li&gt;Incorporate this into the flower release cycle/bugfest?&lt;/li&gt;
		&lt;li&gt;Periodically run this against nightly-built environments?&lt;/li&gt;
		&lt;li&gt;What happens when issues are identified?
		&lt;ul&gt;
			&lt;li&gt;Notification/alerting mechanisms?&#160; Email? Slack? Other?&lt;/li&gt;
			&lt;li&gt;Automatic JIRA creation?&lt;/li&gt;
			&lt;li&gt;Something else?&lt;/li&gt;
		&lt;/ul&gt;
		&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
	&lt;li&gt;Use ZAP!
	&lt;ul&gt;
		&lt;li&gt;Manual scans in the short-term&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="79766">FOLIO-3583</key>
            <summary>OWASP Zed Attack Proxy (ZAP)</summary>
                <type id="10002" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10322?size=medium">New Feature</type>
                            <parent id="79765">FOLIO-3582</parent>
                                    <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="1" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/open.png" description="The issue is open and ready for the assignee to start work on it.">Open</status>
                    <statusCategory id="2" key="new" colorName="blue-gray"/>
                                    <resolution id="-1">Unresolved</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="5cf6c546b87c300f36eb7b9a">Craig McNally</reporter>
                                    <labels>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Fri, 16 Sep 2022 13:43:21 +0000</created>
                <updated>Thu, 30 Nov 2023 16:41:22 +0000</updated>
                                                                                <due></due>
                            <votes>0</votes>
                                    <watches>2</watches>
                                                                <comments>
                                                            <comment id="189854" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Wed, 24 May 2023 11:22:30 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt; should we revisit this?&lt;/p&gt;</comment>
                                                            <comment id="189855" author="5cf6c546b87c300f36eb7b9a" created="Wed, 24 May 2023 16:16:21 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; class=&quot;user-hover&quot; rel=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; data-account-id=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; accountid=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; rel=&quot;noreferrer&quot;&gt;Jakub Skoczen&lt;/a&gt; yeah, it&apos;s been hanging out on the security team agenda for a while.&#160; I think the problem is finding someone who has time to dedicate to this.&lt;/p&gt;</comment>
                                                            <comment id="189857" author="5cf6c546b87c300f36eb7b9a" created="Wed, 24 May 2023 16:17:30 +0000"  >&lt;p&gt;IIRC &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5c9e3a4c203e134514cf9a6f&quot; class=&quot;user-hover&quot; rel=&quot;5c9e3a4c203e134514cf9a6f&quot; data-account-id=&quot;5c9e3a4c203e134514cf9a6f&quot; accountid=&quot;5c9e3a4c203e134514cf9a6f&quot; rel=&quot;noreferrer&quot;&gt;Skott Klebe&lt;/a&gt; did some work in this area but I don&apos;t have details handy.&#160; I forget if anything was documented, or if it was just presented/shared with the security team.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10008">
                    <name>Defines</name>
                                                                <inwardlinks description="is defined by ">
                                        <issuelink>
            <issuekey id="79767">FOLIO-3584</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="79885">FOLIO-3868</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10168"><![CDATA[None]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10014" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue key="$xmlutils.escape($text)">Security checks, reviews, and fitness functions</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i05fbs:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 24 May 2023 11:22:30 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>