Date 09 Dec 2022
Attendees Discussion items Time Item Who Notes 45 Min Proposal site structure Group diskussion Site structrueDefinitions within environment(s) to investigate classes of threats External generic - i.e script kiddies, without folio-specific knowledge"Bad user" - has a folio account and password. Either leaked account/password or evil userInternal non-folio - Has access to (parts of) folio network but no accountnon-malicious - I.e Ooops- script or command. User with foilo-account that had bad luck when thinking classes of networks public net internals net(s) classes of FOLIO servicesFOLIO Backend modules FOLIO permission/managing service - OKAPI Secondary servicesKafka Elastic Search Database FOLIO-Reporting? Monitoring? classes of tools to explorewebservers / proxies firewalls treat/suspicous traffic detection services (log scanning eg. elastic search) others? scope:start with API later: UI later: secondary services (Kafka, Elastic Search, Database etc.) out of scope:Bringing down / securing secondary services several stages of aproachInvestigation → stories and (ab)use casesMatrix of cases to explore eg. bringing down Okapi clause of from external network clause from internal net to bring down modules directly Defining test case/environments Creating test environment and verifying Outcome should be a documentationno need to specify this on at this stage (Diagrams where needed) 5 Min Meeting times and frequencies All Fridays 11 CET every week to start stay in huddle for the moment could lower frequency later for asychronous work
Action items Axel to create defintions page and start with classes definition → inform about that in slack