2021-03-19 Meeting Notes

Attendees

Discussion items

Time

Item

Who

Notes


Review Security IssuesTeam Review Kanban board

Need for new processTC

Assigned action item to document what the process is for handling design related security issues. The Kafka discussion is an example of how things work without a documented process (it was unclear).

Update:  No progress since TC did not meet this week.


UI dependency VulnerabilitiesTeam

Since John/Ryan are here, we decided it discuss the topic of checking for and handling vulnerabilities in 3rd party dependencies.  

  • Handling these in "real time" e.g. via Snyk is too big of a distraction
  • Possibly adopt a period process - N times a year have all UI devs check their modules and resolve known vulnerabilities

Some changes are easy - just upgrade

Other changes involve breaking changes - need to coordinate across teams, etc.

  1. Vulnerabilities are reported via dependabot
  2. Bugs are filed in JIRA, tagged w/ security
  3. These are reviewed by the security team as usual
    1. Now that we have more UI experience on the team, it will be easier triage / prioritize these
  4. At some point (once a year? quarter? release?) the UI devs should review the bugs and resolve at least all the high priority ones.
    1. This includes running npm audit, looking at dependabot, synk, etc.  - NOT just the JIRAs which the security team triaged/prioritized.
  5. Possible come up with a JIRA template to help with consistency and make this easier for teams to adopt this process.

Review all Sec IssuesTeam

Action for March 19, 2021? 

  • Update:  We didn't get to this - April 2, 2021?

Security pageTeam

Discuss where the "Public Facing" Security page should live and what info it should have on it. The Safe Harbor page above is one example of what should be there. 

  • Update:  We didn't get to this - April 2, 2021?