2020-06-26 Meeting notes

Owned by
Mike Gorrell
Jun 26, 2020
2 min read

Date

Attendees

Discussion items


TimeItemWhoNotes
2 min

Update on JIRA config and email


@mike

Have identified a couple of JIRA marketplace product to trial to help with: 

  • Can the Security Project be setup so that new issues automatically set the Security Level to FOLIO Security Group?
  • Some issues appear to show Security Level but others don't. Investigate. Could be issue type (Epic vs Story vs Task vs Bug).
  • Clarify and/or propose how we set a security level that allows only those who might need to know (ie. the specific developers who might work on issues) 

But primary JIRA admin is OOO this week.


Email - security@folio.org - forwarding should be finished - not quite working yet. More later.


Spike for SSO flowAxel and CraigHad previously create a Spike to investigate leveraging NGINX/Apache etc. Core team discussed, and we may not move off current path, but we will discuss/continue with spike. Axel to add thoughts on what we might investigate on this page: Authentication and Authorization 

 Review status of JIRA issues and other security alertsTeam 

Review open JIRA Security issues as a team. Note planning by teams hasn't happened yet - scheduled next week.


Github Alerts:

  • Github sends alerts around security issues that it identifies. These messages are configured to go to the repo owners and this security group. Question is how to deal with these. The discussion with the Tech Council earlier this week. Their thoughts were:
    • Treat these like any other security issue that's raised:
    • Ideally the issues will be created automatically based on the Github emails
    • Note that repo owners can be proactive and may not rely on creation of JIRA by the Security group and will deal with the issue on their own - that's fine.
  • Note we'll need to make sure that the permissions on JIRAs need to allow the developers to view the issues.
  • Note that if you don't have write access to the repo you won't be able to actually view the vulnerable dependencies listed in the email.