2013-04-02 CAS AppSec Working Group Call

Meeting Details

• Tuesday, April 2, 2013.  14:00 - 15:00 US - Eastern (GMT -04:00) 
•  Call in Number:  http://www.calliflower.com/2011/11/15/international-conference-calling/
• Conference Code: 4397017

Participants 

• Jérôme Leleu
• Andrew Petro
• Bill Thompson
• Aaron Weaver

 Agenda

• Introductions
• Review/Approve Meeting Minutes
   
• Review Action Items
• JIRA for issue tracking?
• Apereo Conference in June
• Input Validation/Filtering
  
• Open Discussion
  
• Meeting Schedule
• Share sample security artifacts
• Next Steps

Meeting Notes

Decide to pursue JIRA project for tracking WG AIs.

Briefly discussed DFD.  Will continue to progress on that via mailing list.  Looking to create additional level diagrams.  Discussed how DFD helps to identify areas that may need additional security controls or consideration.

Aaron shared a new static code scan of CAS 3.5.2.  No major issues, will triage others and share on cas-appsec-private.

Discussed the use of ZapProxy for dynamic scans and the need for test instance.

Will pursue renaming cas-appsec to cas-appsec-public to help avoid inadvertent disclosure.

Action Items

• Sketch out CAS security assessment - Team
• Draft WG charter - Andrew
• Follow up with cas-dev regarding 3rd party vs custom code - Jérôme
• Review https://www.owasp.org/index.php/Application_Threat_Modeling - Team
• Share and revise example security artifacts (data flow diagram, etc) - David, Jérôme, Team
• Inquiry about EC2 test instance - Bill

Post Meeting Notes (catch-all, Alibi's)