2020-09-11 Meeting notes

Date

Attendees

Discussion items

TimeItemWhoNotes

Review Open Actionsteam

Secret Storage - Conveyed that the Auth refactoring is a higher priority than Secret Storage/Distributed Config... over to the Capacity Planning team for discussion next week. Uncertain when this will be able to be worked on due to competing priorities.

SNYK - Note that it automatically creates PRs when you add repositories, Also - Julian added some Java modules and it seems like Github and SNYK aren't the same notifications - so might be useful to have both. Since we 'get it for free' we might as well use it. Make a statement to the Developers channel that the Security Group recommends to use this tool. Note that we have to have the SNYK Robot comply with the CLA (Contributor License Agreement) so that the PRs that it creates can be merged. Julian will explore the CLA and send the message to the #developer channel.


Review Security JIRA issuesTeam

Review Kanban board - do we like this approach?

Or work through the list

We'll use the Kanban board. Discussion of how to keep track of the dependably and SNYK alerts and make sure they don't fall through he cracks. Homework - team reviews possibilities and makes suggestions at the next meeting. One thought - should we route mail to security@folio.org into JIRA?


 House keeping issues

 Security email setup - security@folio.org works!

Have sent Safe Harbor Statement/Acceptable Use Policy to Lawyer for review

Jira configuration actions:

  • Per Kanban review - suggested a new label - security-reviewed - Figure out a tagging/other system to note which items this team discussed
  • Prioritize:
    • Can the Security Project be setup so that new issues automatically set the Security Level to FOLIO Security Group PLUS the Creator (who might have additional context/etc)? 
      • Confirmed how to get this done - need to coordinate changes to permissions scheme and security scheme for the Security project with JIRA admin (some dependencies with other settings/projects).
      • Try to completely next meeting
    • PAUSE - Some issues appear to show Security Level but others don't. Investigate. Could be issue type (Epic vs Story vs Task vs Bug).
      • Still investigating. It won't show unless it's set. The field has to be configured to appear on the screen that the project uses (not so for UXPROD)
      • Able to set for task, bug and epic.
    • PAUSE - Clarify and/or propose how we set a security level that allows only those who might need to know (ie. the specific developers who might work on issues) 
      • Need to define who is part of the list. Currently an "external core contributors" group that has 178 members. The current Security Role of "Core FOLIO Team" points to this group.
      • Use the "Core FOLIO Team"
      • May not ever need a more restrictive group.

Alisha
Where to give her credit? Let's create a list on the Security Wiki first to get going, and then raise the issue with others on how/where to list people more prominently. We will wait until the issue is resolved? No need to wait.