Date
Attendees
Discussion items
| Time | Item | Who | Notes |
|---|
| 45 Min | Proposal site structure | Group diskussion | - Site structrue
- Definitions within environment(s) to investigate
- classes of threats
- External generic - i.e script kiddies, without folio-specific knowledge
- "Bad user" - has a folio account and password. Either leaked account/password or evil user
- Internal non-folio - Has access to (parts of) folio network but no account
- non-malicious - I.e Ooops- script or command. User with foilo-account that had bad luck when thinking
- classes of networks
- public net
- internals net(s)
- classes of FOLIO services
- FOLIO Backend modules
- FOLIO permission/managing service - OKAPI
- Secondary services
- Kafka
- Elastic Search
- Database
- FOLIO-Reporting?
- Monitoring?
- classes of tools to explore
- webservers / proxies
- firewalls
- treat/suspicous traffic detection services (log scanning eg. elastic search)
- others?
- scope:
- start with API
- later: UI
- later: secondary services (Kafka, Elastic Search, Database etc.)
- out of scope:
- Bringing down / securing secondary services
- several stages of aproach
- Investigation → stories and (ab)use cases
- Matrix of cases to explore
- eg. bringing down Okapi
- clause of from external network
- clause from internal net to bring down modules directly
- Defining test case/environments
- Creating test environment and verifying
- Outcome should be a documentation
- no need to specify this on at this stage
- (Diagrams where needed)
|
| 5 Min | Meeting times and frequencies | All | - Fridays 11 CET every week to start
- stay in huddle for the moment
- could lower frequency later for asychronous work
|
Action items
Axel to create defintions page and start with classes definition → inform about that in slack