/
2023-07-20 Meeting notes

2023-07-20 Meeting notes

Date

Attendees

Discussion items

TimeItemWhoNotes
0 minOWASP/SNYKTeam
  • Epic: FOLIO-3582 - Getting issue details... STATUS
  • Feature: FOLIO-3583 - Getting issue details... STATUS
  • User Story: FOLIO-3584 - Getting issue details... STATUS
  • User Story:  FOLIO-3709 - Getting issue details... STATUS
  • Sonar ( https://sonarcloud.io/organizations/folio-org/quality_profiles):
    • Java: All 38 security hotspots rules and all 53 vulnerabilities rules are enabled (2 deprecated vulnerabilities rules are disabled).
    • JavaScript: 53 security hotspots rules and all 27 vulnerabilities rules are enabled.
      • John Coburn will check whether the remaining 2 security hostspots rules should be enabled.
  • Snyk: Skott Klebe to take a closer look and add ignore where applicable

Today:

  • What about the OWASP stuff?
1 minNCT group (Pen. testing)

Progress is slow... at most expect monthly updates.

  • Pre work has been completed (Python)
  • Next step is to parse the RAML for all endpoints/module and run the tests
1 minSTCOR-395 "refactor login form to avoid using any form framework whatsoever"

All

 Background
  • Create a spike to investigate what's involved in divorcing the login page from the NPM ecosystem.  Will reach out to John and Ryan as needed. 
  • Reopen STCOR-395 and block on the spike. – Done.
  • Where does this stand?  Get an update from Ryan Berger / John Coburn
  • Waiting for the spike ( STCOR-651 - Getting issue details... STATUS ) to be completed. – currently in the Open state.
  • John to reach out to Skott to discuss what the level of risk associated with this.  – Still needs to happen.
  • John Coburn pulled together two PoCs.  See comments in STCOR-651 - Getting issue details... STATUS
  • How do we want to move forward?
    • Solutions need to be reviewed and discussed.
    • Sounds like the iframe approach is a non-starter... actually a step in the wrong direction security-wise
  • John Coburn (and others) to read up on browser CSPs
  • John Coburn has made some progress on investing CSPs
    • Will share some draft guidance we may want to include into the installation documentation (via slack)
    • SG will review and provide feedback.  Skott Klebe please take a look too
  • Next up:  John to work on some spike work - focused on introducing CSPs on the folio-snapshot site
    • can serve as a reference impl of the guidance we'll be adding to the install docs
  • Not much progress since last week, but hopefully get some movement on this soon.