2023-09-21 Meeting notes

@Craig McNally 

@Julian Ladisch 

@Axel Dörrer 

@Ryan Berger 

@Chris Rutledge 

@Jakub Skoczen 

@John Coburn 

@Skott Klebe 

@Jens Heinrich 

Anything Urgent? Review the Kanban board?

Team

NCT Group pen testing works and overlaps with the ZAP testing

Axel @Jens Heinrich 

We've asked the NCT group if someone could join us to discuss the pen testing they're doing,  how it overlaps with the ZAP testing, etc.

Let's aim for Sep 21, 2023.  @Axel Dörrer will coordinate with the NCT group to set this up, forward invites, etc.

Notes:

• Jens from the Network Control Group (NCT) joined us to discuss today

• There was a desire to do some testing which uses API fuzzing

• Some struggles with RAML not being compatible with the tools being used for this

• He was able to map RAML → OpenAPI 

• ZAP and this work are complimentary, not a duplication of effort.

  • One looks at the system from the client perspective,

  • The other looks at the APIs provided by the server

• What are the next steps?

  • Both efforts should proceed in parallel

  • We need to think about what we want to do with the results of these tests...

    • How are the findings triaged and logged as JIRAs, etc.

    • Make sure we don't "lose" the results (again)

RSRVR-125 "Cross-site Scripting (XSS) in webroot/index.js"

Julian/Jakub

@Jakub Skoczen will get it addressed soon, it's mostly a bandwidth issue

Suggestion was to drop Reservoir from the security board (possibly snyk too) since it isn't part of the Folio flower releases 

Consortia Tenant Checks

How can the consortia token security issues been addressed?

• See 2023-06-26 - Consortia Tenant Checks

• Group chat has been created with Olamide, Jakub, Julian, Vince, Axel, and Craig.  So far there's been very little conversation