/
2023-09-21 Meeting notes

2023-09-21 Meeting notes

Sep 21, 2023

Date

Attendees

NamePresent

Craig McNally 

Y
Julian Ladisch 

Axel Dörrer 

Y
Ryan Berger 
Y

Chris Rutledge 

Y

Jakub Skoczen 

Y
John Coburn 
Y

Skott Klebe 


Jens Heinrich 

Y

Discussion items

TimeItemWhoNotes

Anything Urgent? Review the Kanban board?Team

NCT Group pen testing works and overlaps with the ZAP testingAxel Jens Heinrich 

We've asked the NCT group if someone could join us to discuss the pen testing they're doing,  how it overlaps with the ZAP testing, etc.

Let's aim for .  Axel Dörrer will coordinate with the NCT group to set this up, forward invites, etc.

Notes:

  • Jens from the Network Control Group (NCT) joined us to discuss today
  • There was a desire to do some testing which uses API fuzzing
  • Some struggles with RAML not being compatible with the tools being used for this
  • He was able to map RAML → OpenAPI 
  • ZAP and this work are complimentary, not a duplication of effort.
    • One looks at the system from the client perspective,
    • The other looks at the APIs provided by the server
  • What are the next steps?
    • Both efforts should proceed in parallel
    • We need to think about what we want to do with the results of these tests...
      • How are the findings triaged and logged as JIRAs, etc.
      • Make sure we don't "lose" the results (again)

RSRVR-125 "Cross-site Scripting (XSS) in webroot/index.js"

Julian/Jakub

Jakub Skoczen will get it addressed soon, it's mostly a bandwidth issue

Suggestion was to drop Reservoir from the security board (possibly snyk too) since it isn't part of the Folio flower releases 


Consortia Tenant Checks

How can the consortia token security issues been addressed?





Action items

  •