/
2019-10-16 Meeting notes

2019-10-16 Meeting notes

Oct 16, 2019

Date

Oct 16, 2019

Attendees

  • @Mike Gorrell

  • @VBar

  • @Jakub Skoczen

  • @Mark Veksler

  • @Marko Knepper

  • @Craig McNally

  • @Peter Murray

  • @Zak Burke

  • @Ian Walls

  • @Tod Olson

Discussion items

Time

Item

Who

Notes

Time

Item

Who

Notes

10 min

Update on DoD

Mark Veksler

  • Quick update: continuing to make (albeit slowly) progress on consolidating DoDs. had a few questions for TC: thoughts about adding these mandatory requirements to DoDs: 1) conduct testing in a multi-tenant environment (might require to have the community reference environment be setup with multi-tenant data) and 2) use ZAP to scan for OWASP top 10 security vulnerabilities?

1) Discussed the distinction between multi-tenant testing and simply testing in a multi-tenant environment. We've seen some modules run out of memory in a multi-tenant environment and/or have issues when adding new tenants. So, some problems will be visible more quickly. Definitely a need to assist teams/developers with an environment to test in. More discussion needed about what our requirements might be.

2) ZAP is a free/open source tool that is browser based that usually requires manual execution. Seems like there's a Sonar Cube plugin - also for Jenkins. Front-end only. General agreement that this is a good direction. More details to be nailed down.

5 min

Security Audit

@Mike Gorrell

  • Funding has been committed to by Leipzig but there are some procedural details to be worked out before we can engage NCC

10 min

New Assignment for Tech Council

@Mike Gorrell

FOLIO Infrastructure Budget maintenance. Discussed how this new policy came to be. We'll pull people together to outline the process we will follow. One aspect will be to decide how much information can remain public versus what information needs to be private. Another point is it would be great to be able to tie actions to specific costs. Volunteers: @Mike Gorrell @Peter Murray @Jakub Skoczen @Tod Olson @Mark Veksler - Mike to pull folks together.

Note - AWS has some credits/discounts for non-profits. Not for reserved instances though. Timing to change from On-Demand to Reserved Instances - Peter will make some changes soon but won't finish until a further analysis is done by some EBSCO resources.

10 min

Security Policy Group Update 

@Craig McNally

The group has met a few times and have a sort of outline for a document - still really high level. Before the next group meeting they are hoping to finalize the straw man (next Monday 10/21).

10 min

Update on Debt-6

TC

  1. Environment - Core Platform

  2. Defining the test scenarios (which tests, how many of each, what data is needed, how big a dataset, etc.) ← Likely community product owner-type

  3. Building the tests themselves - Core Functional ( ? )... some teams have created sets of Jmeter tests - these may be useful too. Would be helpful to leverage all teams to build these tests

  4. Collect and/or create data to be used - Mike and Tod to query Sys-Ops, potentially need to augment and/or curate additional data. Harry K might have a standard set of users

  5. Identifying which tools can be used to profile the application so that we can assess the results

Updates:

1) Mike started conversations with Jakub. There are a few environments that we can consider. Not urgent.

2)  No update. Expect update 10/30.

3) Essentially on-hold until we have use cases to evaluate. Note that we have a bunch of JMeter tests that might be useful.

4) Chicago can deliver bib data. We discussed the value/benefit of synthetic data for Holdings/Items/Users/Loans. The Core team has an item FOLIO-2296: enrich perf circulation data to match BugFest q3.2Closed to create some test data - which could overlap with this need.

5) Will have an update on 10/23

20 Min

Tech Debt update

TC

Mike to present an update to the Product Council on 10/24. Asking TC members to update items before next week's meeting.