2021-03-19 Meeting Notes

Attendees

Discussion items

Item	Who	Notes
Review Security Issues	Team	Review Kanban board
Need for new process	TC	Assigned action item to document what the process is for handling design related security issues. The Kafka discussion is an example of how things work without a documented process (it was unclear). Update: No progress since TC did not meet this week.
UI dependency Vulnerabilities	Team	Since John/Ryan are here, we decided it discuss the topic of checking for and handling vulnerabilities in 3rd party dependencies. Handling these in "real time" e.g. via Snyk is too big of a distraction Possibly adopt a period process - N times a year have all UI devs check their modules and resolve known vulnerabilities Some changes are easy - just upgrade Other changes involve breaking changes - need to coordinate across teams, etc. Vulnerabilities are reported via dependabot Bugs are filed in JIRA, tagged w/ security These are reviewed by the security team as usual Now that we have more UI experience on the team, it will be easier triage / prioritize these At some point (once a year? quarter? release?) the UI devs should review the bugs and resolve at least all the high priority ones. This includes running npm audit, looking at dependabot, synk, etc. - NOT just the JIRAs which the security team triaged/prioritized. Possible come up with a JIRA template to help with consistency and make this easier for teams to adopt this process.
Review all Sec Issues	Team	Action for March 19, 2021? Update: We didn't get to this - April 2, 2021?
Security page	Team	Discuss where the "Public Facing" Security page should live and what info it should have on it. The Safe Harbor page above is one example of what should be there. Update: We didn't get to this - April 2, 2021?