| | | |
|---|
5-10 min | Sonarqube | Team | Use of //NOSONAR, etc. See slack for details. |
1-2 min | Pen Testing | Craig | Just reviewed findings with the pen testers today. Will be creating SECURITY issues soon. Sneak preview: Username enumeration via "forgot password" / "forgot username" Finish migration away from mod-configuration (even non-sensitive data) Stack traces returned from backend modules in some cases Reduce superfluous information in responses, e.g. "via: kong/3.7.1", "server: nginx/1.26.2", etc.
|
? |  SECURITY-272: XBOW-025-171 NumberGenerator template arbitrary code execution in mod-service-interactionCompletedPreview
| Team | See notes in the JIRA. @Craig McNally after days finally heard back from Tom Cramer - neither he or Peter M. had responded to XBOW. I got a response out yesterday and included the security team on the email.
Previous: XBOW has filed a private vulnerability report Next step is to triage and provide a Folio-specific report with additional details (e.g. the module is behind Okapi, etc.) It isn't clear who will do this.. is it the development team or Security Team?
Today: |
| OAI-PMH | Julian | AWS SDK has been reverted to 2.29.9, which is 108 releases behind the latest. Is there enough time remaining in the Sunflower bugfix period to test the newer version (2.31.27) → Question for Slava/Magda |
| ERM modules + Stack traces in error responses | Team | Reviewed ERM-3292 and ERM-3466. Left a comment for Owen/Ethan asking if there is a way to solve this problem for all ERM (grails) modules since it keeps coming up. Also assigned to Trillium. |
* | Anything Urgent?
Review Mike's Kanban board?
Review Security board?
Review labels=security?
Under Review Filter: New Board | Team | Today: @Craig McNally to ask around for an env hooked up to LDP/MetaDB so we can experiment and try to identify any other security issues in mod-reporting/ui-ldp wrt error responses (stack traces, unsafe HTML, etc.) This functionality is usually tested in a snapshot env, though it isn't clear which one. Bugfest envs are NOT usually hooked up to LDP/MetaDB Craig will continue to try to find an answer... look at testrails to see who is doing this testing and ask them where they are testing it?
@Julian Ladisch to add module specific tickets to https://folio-org.atlassian.net/issues/FOLIO-4283 "Replace net.mguenther.kafka:kafka-junit (EOL)"
|
|
0 min | Jira Group and Security Level review | Team | From Craig in slack: I've been in communication with David Crossley, Wayne Schneider, John Malconian and Peter Murray about the issue above. They apparently didn't have access to these embargoed issues (SysOps and Core Team). Peter shared this screenshot with me, which doesn't look right. I'd like to review this at one of our meetings and come up with a list of changes/improvements for Peter to make. A few ideas off the top of my head: Add descriptions to each of the security groups, like we have for "FOLIO Security Group" Maybe add a new security group and level for FOLIO devops Review membership of each of these groups and remove users no longer on the project Review the Security Level -> Group mappings. Some of these don't look quite right to me.
If it makes this easier, we could invite Peter to a meeting so we can see the groups/levels interactively and makes adjustments as we go Not exactly this, but related... Issues submitted to the SECURITY JIRA project should automatically be embargoed (Security Level = Folio Security Group) The submitter of issues to the SECURITY JIRA project should be able to view issues they submit, regardless of their Security Level Email notification sent to the Folio Security Group when an issue is created in the SECURITY Jira project.
Action: @Craig McNally to setup a meeting with Peter and representatives from the Security Team to work through these things after WOLFcon?
Today: |
Time permitting | Advice for handling of sensitive banking information | Team | From slack conversation, I think I've gathered the following: Let's review and discuss before providing this feedback to Raman. @Axel Dörrer also suggested that defining classes of sensitivity could help teams determine which techniques are applicable in various situations. I agree having some general guidelines on this would be helpful. It would probably help to provide concrete examples of data in each class. This can be a longer term effort, we don't need to sort out all the details today.
Today: @Axel Dörrer to do a first draft as a base for further discussions |
| Status on pentesting works within Network traffic control group | @Axel Dörrer | Due to some absences on different reasons the group stalled. Axel will try to reactivate the group. |
