...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
2013
...
-04
...
-02 CAS AppSec Working Group Call
Meeting Details
- Tuesday, April 2, 2013. 14:00 - 15:00 US - Eastern (GMT -04:00)
- Call in Number: http://www.calliflower.com/2011/11/15/international-conference-calling/
- Conference Code: 4397017
Participants Agenda
- Jérôme Leleu
- Andrew Petro
- Bill Thompson
- Aaron Weaver
Agenda
- Introductions
- Review/Approve Meeting Minutes
- Review Action Items
- JIRA for issue tracking?
- Apereo Conference in June
- Input Validation/Filtering
- Open Discussion
- Meeting Schedule
- Share sample security artifacts
- Next Steps
Meeting Notes
Decide to pursue JIRA project for tracking WG AIs.
Briefly discussed DFD. Will continue to progress on that via mailing list. Looking to create additional level diagrams. Discussed how DFD helps to identify areas that may need additional security controls or consideration.
Aaron shared a new static code scan of CAS 3.5.2. No major issues, will triage others and share on cas-appsec-private.
Discussed the use of ZapProxy for dynamic scans and the need for test instance.
Will pursue renaming cas-appsec to cas-appsec-public to help avoid inadvertent disclosure.
Action Items
- Sketch out CAS security assessment - Team
- Draft WG charter - Andrew
- Follow up with cas-dev regarding 3rd party vs custom code - Jérôme
- Review https://www.owasp.org/index.php/Application_Threat_Modeling - Team
- Share and revise example security artifacts (data flow diagram, etc) - David, Jérôme, Team
- Invite team to cas-appsec-private - Bill
- Run Veracode against CAS 3.5.2 - Aaron
- Inquiry about EC2 test instance - Bill
...