2013-04-16 CAS AppSec Working Group Call

Meeting Details

Tuesday, April 16, 2013.  14:00 - 15:00 US - Eastern (GMT -04:00)  

TurboBridge Conference ID: 11235#
Main Access: +1-480-297-0005 (preferred if you don't pay for long distance by the minute)
Toll-Free Access: +1-800-309-2350

International numbers: http://turbobridge.com/international.html
Additional US Local numbers: http://turbobridge.com/local_toll.html
Options & Commands: http://www.turbobridge.com/join.html

SIP Access: sip:bridge@turbobridge.com

Participants 

• Jérôme LELEU
• David Ohsie
• Aaron Weaver
• William G. Thompson, Jr.
  

Agenda

• Review/Approve Meeting Minutes
  
• Review Action Items
  
• Open Discussion  

Meeting Notes

Discussed and approved request to add Marvin and Scott to cas-appsec-private and proposed policy around membership.

CAWG-5

Custom OAuth code to be swapped out for Spring Security OAuth support.  SAML remediation on hold.

CAWG-2

Jasig infrastructure not available for dynamic code scans.  Bill will pursue free AWS instance.  Jerome will pursue free hosting for open source projects.  In the meantime Aaron will setup a local test bed.

CAWG-4

Aaron will triage static scan report after setting up local test bed.

CAWG-6

Starting reviewing additional DFD diagrams added by Jérôme on CAS Threat Modeling.

Decided on using open source DIA as a tool and format for DFD work.

Review of DFD of CAS tickets storage:

• replication traffic needs to be protected.  secure by default
• add what type of data is being replicated
• add another CAS server to illustrate multi-node server
• hash TGT Ids in transit and rest (memory, db, file)?

Next call will be via EMC webex.  David will setup and share coordinates on list.

Action Items

Post Meeting Notes (catch-all, Alibi's)