/
2020-10-30 Meeting Notes - Security

2020-10-30 Meeting Notes - Security

Oct 30, 2020

Date

30 Oct 2020

Attendees

  • @Mike Gorrell

  • @Axel Dörrer

  • @Ryan Berger

  • @Brandon Tharp

  • @Craig McNally

  • @Julian Ladisch

Discussion items

Time

Item

Who

Notes

Time

Item

Who

Notes

 

 Review Security Issues

Team 

Review Kanban board (no new issues that haven't been reviewed)

 

Safe harbor, policies

@Mike Gorrell

Have sent Safe Harbor Statement/Acceptable Use Policy to Lawyer at Duke for review - after agreeing to review, they declined to comment due to possible conflict of interest (with Duke being a contributor, participant and user of FOLIO). @Mike Gorrell  to reach out to OLF lawyer again for a quote.

Quote is for $450-$900. Asked for approval to move forward.

Have not heard back - will follow up next week.

 

RMB-743

@Julian Ladisch

A topic for tomorrow's meeting: There is a request (RMB-743) that we add a backdoor to FOLIO to avoid using proper Single-Sign-On: When RMB gets a request with the preserveMetadata parameter then any audit data (createdByUserId, changedByUserId) can be set. That way an external server-side web app that ships with some hard-coded admin credentials can write the id of any user X into the audit data without having user X' restrictions: This works even if user X has been disabled or if user X doesn't have the permissions for the request.
What is the opinion of the security group? Should we support the request, or should we require that the external server-side web app uses a proper login of the actual user similar to the existing mod-saml-login?

 

Craig will add a comment to the issue (potentially to split into 2 issues, adding the thoughts of the Security Group) and link a Tech roadmap item related to Service Accounts.