2013.03.19 CAS AppSec Working Group Call

Meeting Details

• Tuesday, March 19, 2013.  14:00 - 15:00 US - Eastern (GMT -04:00) 

•  Call in Number:  http://www.calliflower.com/2011/11/15/international-conference-calling/

• Conference Code: 4397017

Participants 

• Joachim Fritschi

• Jérôme Leleu

• David Ohsie

• Andrew Petro

• Bill Thompson

• Aaron Weaver

Agenda

• Introductions

• Review/Approve Meeting Minutes

• Review Action Items

• Open Discussion

• Meeting Schedule

• Share sample security artifacts

• Next Steps

Meeting Notes

Added Aaron Weaver to the group.  Aaron is an AppSec specialist, works for Pearson, deploys CAS.

Two mailing list have been created...cas-appsec-public and cas-appsec-private.

Reviewed initial context data flow diagram created by David.

Discussed investigating the use of bugcrowd.com after initial security assessment is done.

Discussed the need for an EC2 test instance to dynamic scans.

Action Items

• Sketch out CAS security assessment - Team

• Draft WG charter - Andrew

• Follow up with cas-dev regarding 3rd party vs custom code - Jérôme

• Review https://www.owasp.org/index.php/Application_Threat_Modeling - Team

• Share and revise example security artifacts (data flow diagram, etc) - David, Jérôme, Team

• Invite team to cas-appsec-private - Bill

• Run Veracode against CAS 3.5.2 - Aaron

• Inquiry about EC2 test instance - Bill

Post Meeting Notes (catch-all, Alibi's)