2013-04-30 CAS AppSec Working Group Call
- William G. Thompson, Jr.
- Jim Helwig
- Andrew Petro
2013-04-30 CAS AppSec Working Group Call
Meeting Details
Tuesday, April 30, 2013. 14:00 - 15:00 US - Eastern (GMT -04:00)
Webex: https://emccorp.webex.com/emccorp/j.php?J=642289088
Participants
Agenda
- Review/Approve Meeting Minutes
- Review Action Items
- Apereo conference: who's gonna be there?
- Thursday 2013-06-05 BOF session on coordinating Security efforts across Apereo
BOF to answer an obvious question raised by the merger.
Is there a wish for the sharing of Security resources across projects. Interested parties should have an opportunity to meet and discuss this face to face at the conference. Lets see if there is enough commitment to move forward.
- Open Discussion
Meeting Notes
Bill set up micro EC2 instance...wasn't happy with proprietary administrative interfaces, instance didn't seem stable. Aaron/David reported that you can mostly ignore the AWS interface and just use the instance like a hosted linux VM. Jerome also has setup an instance on cloudbees. Had some discussion about setting an appliance, mostly concluded that this is not in the critical path for short term goals of running dynamic scans. Aaron setting up a local VM and running ZapProxy against CAS.
General discussion about working group scope and charter. Charter should be short and to the point, meant to capture consensus and inform others of the work this group is doing. Discussed three main themes:
- Proactively work to improve the security of CAS (although mostly focused on CAS server currently)
- Response to potential vulnerabilities - create, maintain, execute vulnerability notification policy - issue vulnerability reports
- Product artifacts that potential adopters can use to evaluate the security of CAS - thread modeling, data flow diagrams, etc
- Recommendations on hardening, configuration, secure by default, etc.
Reviewed action items and will proceed as time and resource allow.
Action Items