<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:29:12 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3584] SPIKE - investigate OWASP Zed Attack Proxy (ZAP)</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3584</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;h2&gt;&lt;a name=&quot;Overview&quot;&gt;&lt;/a&gt;Overview&lt;/h2&gt;

&lt;p&gt;While FOLIO has used the OWASP ZAP tool in the past, it was a long time ago, and the sentiment among the Security Team is that we can likely get more out of ZAP.&lt;/p&gt;

&lt;p&gt;The purpose of this spike is to research/investigate/explore ZAP and document answers to the following:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;What types/classes of vulnerabilities can/should the project expect ZAP to identify?&lt;/li&gt;
	&lt;li&gt;What &quot;knobs/dials&quot; can be adjusted to better suite FOLIO&apos;s needs?
	&lt;ul&gt;
		&lt;li&gt;Can ZAPs extensibility be easily leveraged to provide higher quality, more complete results?&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
	&lt;li&gt;How might FOLIO incorporate ZAP into new or existing automation?
	&lt;ul&gt;
		&lt;li&gt;Does it make sense to incorporate ZAP scans into:
		&lt;ul&gt;
			&lt;li&gt;The flower release cycle? (e.g. against bugfest)&lt;/li&gt;
			&lt;li&gt;Regularly run automation? (e.g. against nightly built environments &#8211; on a nightly/weekly/monthly basis)&lt;/li&gt;
		&lt;/ul&gt;
		&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
	&lt;li&gt;How, where can/should we keep scan results for tracking and historic purposes?
	&lt;ul&gt;
		&lt;li&gt;How long should we retain scan results?&lt;/li&gt;
		&lt;li&gt;Should scan results be publicly accessible? Kept private until after review by the Security Team?&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
	&lt;li&gt;Is it possible that ZAP scans could interfere with regular use/testing of the system being scanned? If so, how might we mitigate the impact of this?
	&lt;ul&gt;
		&lt;li&gt;What is the expected duration for ZAP scans, given various configurations?&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
&lt;/ul&gt;


&lt;h2&gt;&lt;a name=&quot;AcceptanceCriteria&quot;&gt;&lt;/a&gt;Acceptance Criteria&lt;/h2&gt;

&lt;ul&gt;
	&lt;li&gt;Spike findings are documented on the &lt;a href=&quot;https://folio-org.atlassian.net/wiki/display/SEC/Spikes+and+Investigations&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;wiki&lt;/a&gt; and shared with the Security Team&lt;/li&gt;
	&lt;li&gt;User stories are created/updated with details and/or references to existing or newly generated documentation&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="79767">FOLIO-3584</key>
            <summary>SPIKE - investigate OWASP Zed Attack Proxy (ZAP)</summary>
                <type id="10005" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium">Story</type>
                            <parent id="79765">FOLIO-3582</parent>
                                    <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="1" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/open.png" description="The issue is open and ready for the assignee to start work on it.">Open</status>
                    <statusCategory id="2" key="new" colorName="blue-gray"/>
                                    <resolution id="-1">Unresolved</resolution>
                                                        <assignee accountid="5c9e3a4c203e134514cf9a6f">Skott Klebe</assignee>
                                                                <reporter accountid="5cf6c546b87c300f36eb7b9a">Craig McNally</reporter>
                                    <labels>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Fri, 16 Sep 2022 14:00:18 +0000</created>
                <updated>Thu, 7 Sep 2023 15:00:39 +0000</updated>
                                                                                <due></due>
                            <votes>0</votes>
                                    <watches>1</watches>
                                                                    <issuelinks>
                            <issuelinktype id="10008">
                    <name>Defines</name>
                                            <outwardlinks description="defines">
                                        <issuelink>
            <issuekey id="79766">FOLIO-3583</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10168"><![CDATA[None]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10014" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue key="$xmlutils.escape($text)">Security checks, reviews, and fitness functions</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10106" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>RCA Group</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10367"><![CDATA[TBD]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i05fc8:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    </customfields>
    </item>
</channel>
</rss>