2013-04-30 CAS AppSec Working Group Call

2013-04-30 CAS AppSec Working Group Call

Meeting Details

Tuesday, April 30, 2013.  14:00 - 15:00 US - Eastern (GMT -04:00)

Webex: https://emccorp.webex.com/emccorp/j.php?J=642289088

Webex has international dial-back capability
Passcode:        62405979
USA:             857-207-4204/888-643-3084
France:         0157323313/0805540147
Germany:         06950985552/08006646745
US Cell Link:    tel://8572074204,62405979#
Meeting Number: 642 289 088
Meeting Password: This meeting does not require a password.

Participants

Agenda

  • Review/Approve Meeting Minutes
  • Review Action Items
  • Apereo conference: who's gonna be there?
    • Thursday 2013-06-05 BOF session on coordinating Security efforts across Apereo

BOF to answer an obvious question raised by the merger. 

Is there a wish for the sharing of Security resources across projects. Interested parties should have an opportunity to meet and discuss this face to face at the conference. Lets see if there is enough commitment to move forward.

  • Open Discussion  

Meeting Notes

Bill set up micro EC2 instance...wasn't happy with proprietary administrative interfaces, instance didn't seem stable.  Aaron/David reported that you can mostly ignore the AWS interface and just use the instance like a hosted linux VM.  Jerome also has setup an instance on cloudbees.   Had some discussion about setting an appliance, mostly concluded that this is not in the critical path for short term goals of running dynamic scans.  Aaron setting up a local VM and running ZapProxy against CAS.

General discussion about working group scope and charter.   Charter should be short and to the point, meant to capture consensus and inform others of the work this group is doing.  Discussed three main themes:

  • Proactively work to improve the security of CAS (although mostly focused on CAS server currently)
  • Response to potential vulnerabilities - create, maintain, execute vulnerability notification policy - issue vulnerability reports
  • Product artifacts that potential adopters can use to evaluate the security of CAS - thread modeling, data flow diagrams, etc
  • Recommendations on hardening, configuration, secure by default, etc.

Reviewed action items and will proceed as time and resource allow.

 

 

Action Items

key summary assignee status

Unable to locate Jira server for this macro. It may be due to Application Link configuration.

Post Meeting Notes (catch-all, Alibi's)