Charter
The CAS Application Security Working Group is a group to work on the security of the CAS application. We
- proactively work to improve the security of CAS, focusing on the Apereo CAS server, the protocol, and various CAS clients
- respond to potential vulnerabilities. We create, maintain, and execute on vulnerability triage and notification policy, fielding handoffs from the Jasig Security Contact Working Group and otherwise. We issue vulnerability reports and work to coordinate workarounds and fix responses to security concerns that arise.
- produce artifacts that help potential CAS adopters to evaluate the security of CAS both as open source product and as they intend to locally implement the product. This includes threat modeling, data flow diagrams, etc.
- We create and maintain recommendations on good practices for CAS implementation around hardening, configuration, failing safe, security by default, etc.
Working Group Members
Mailing Lists
- cas-appsec-public - public lists for general discussion, coordination, and collaboration.
- cas-appsec-private - private list for discussing potential vulnerabilities, analysis of reported vulnerabilities, and other on-going work
Meeting Minutes
Action Items
JIRA Project: CAWG
Tools
Resources
CAS inventory
CAS Hardening
Threat Modeling
Vulnerability Response