2013-05-14 CAS AppSec Working Group Call

2013-05-14 CAS AppSec Working Group Call

Meeting Details

Tuesday, May 5th, 2013.  14:00 - 15:00 US - Eastern (GMT -04:00)

Webex: https://emccorp.webex.com/emccorp/j.php?J=642289088

Webex has international dial-back capability
Passcode:        62405979
USA:             857-207-4204/888-643-3084
France:         0157323313/0805540147
Germany:         06950985552/08006646745
US Cell Link:    tel://8572074204,62405979#
Meeting Number: 642 289 088
Meeting Password: This meeting does not require a password.

Participants

  • Jerome Leleu
  • David Ohsie
  • Andrew Petro
  • Bill Thompson

Agenda

Meeting Notes

Approved minutes from previous meeting.

Reviewed open action items in JIRA:

CAWG-6 (diagrams and threat modeling) David has some progress on new diagram format.  Concern about REST API wrt secrets in the URI itself, which is one of those not-good practices (URIs show up in logs, browser history, etc.).  This wasn't shown by the diagrams as such, but came to mind through the diagramming.

Analogous to the advice to turn off JSESSIONID in URI.

Andrew pointed out /cas/proxy endpoint in traditional CAS protocol has the same secret-in-URI (here, as request parameter) issue (though there it's a service-to-CAS request, not in the browser history, still might be logged by well-meaning CAS web server).

Jerome idea to list threats right on the diagram, discussion of how diagrams contribute to and are part of but aren't the entirety of the documentation of threat modeling.

Jerome suggests we review protocol diagrams as group, perhaps at next meeting.

CAWG-5 (evaluating use of third party code) Jerome has made some progress on this especially as regards OAuth implementation, will discuss further tomorrow at cas-dev@ check-in call wrt CAS 4.  Idea is to look at custom code in CAS and seek opportunities to reduce CAS server load of custom code in favor of adopting high-quality third party software libraries.  On OAuth, idea is to adopt Spring Security OAuth libraries and thereby retire a good chunk of custom code from CAS server. No progress on doing this for SAML support.

CAWG-4 and CAWG-9 wrt static and dynamic code scans, are Aaron Weaver action items, no updates on these this meeting.

CAWG-10 Bill Thompson submitted, supported by others, proposal to AppSec 2013.  Conference isn't until November or so.

CAWG-1 Andrew drafted WG charter, supported by the notes Bill had added to the JIRA after discussion on previous AppSec WG meeting.  Looked at the draft on call and tweaked several times to clarify scope wrt CAS client libraries.

 

In open discussion, Andrew mentioned Unicon's spinning up efforts on multifactor support extensions and interest in, once further along in that, reviewing with AppSec WG if WG time allows.

Discussion of Apereo conference, both the general security BoF and a BoF specific to the CAS AppSec WG.  Using that BoF as an opportunity to do some face-to-face threat modeling using OWASP threat modeling framework.  Best if everyone could come to that meeting having reviewed that framework a few times and ready to model.  Everyone to spread word about the BoF; Bill to figure out when it is and communicate that with WG (CAWG-12).

David to re-send calendar invite (CAWG-11) for the recurring WG meetings and group to verify whether and how well the calendar invite works this time.



Action Items

key summary assignee status

Unable to locate Jira server for this macro. It may be due to Application Link configuration.

Post Meeting Notes (catch-all, Alibi's)