Charter

The CAS Application Security Working Group is a group to work on the security of the CAS application.  We

• proactively work to improve the security of CAS, focusing on the Apereo CAS server, the protocol, and various CAS clients
• respond to potential vulnerabilities.  We create, maintain, and execute on vulnerability triage and notification policy, fielding handoffs from the Jasig Security Contact Working Group and otherwise.  We issue vulnerability reports and work to coordinate workarounds and fix responses to security concerns that arise.
• produce artifacts that help potential CAS adopters to evaluate the security of CAS both as open source product and as they intend to locally implement the product.  This includes threat modeling, data flow diagrams, etc.
• We create and maintain recommendations on good practices for CAS implementation around hardening, configuration, failing safe, security by default, etc.

Working Group Members

• Joachim Fritschi
• Jérôme Leleu
• Misagh Moayyed
• Parker Neff
• David Ohsie
• Bill Thompson
• Aaron Weaver
  
  

Mailing Lists

• cas-appsec-public - public lists for general discussion, coordination, and collaboration.
• cas-appsec-private - private list for discussing potential vulnerabilities, analysis of reported vulnerabilities, and other on-going work

Meeting Minutes

• 2013.02.08 CAS AppSec Kickoff Call
• 2013.02.22 CAS AppSec Working Group Call
• 2013.03.19 CAS AppSec Working Group Call
• 2013.04.02 CAS AppSec Working Group Call
• 2013-04-16 CAS AppSec Working Group Call
• 2013-04-30 CAS AppSec Working Group Call
• 2013-05-14 CAS AppSec Working Group Call
• 2013-05-28 CAS AppSec Working Group Call
• 2013-11-26 CAS AppSec Working Group Call
• 3rd party vs custom code
• CAS Threat Modeling
• Vulnerability Response

Action Items

JIRA Project: CAWG

Tools

• http://www.veracode.com/ Veracode provides automated static and dynamic application security testing software. We scan binary code and produce a prioritized report of flaws

• http://www.modsecurity.org/
• http://www8.hp.com/us/en/software-solutions/software.html?compURI=1338812  HP Fortify: This is a source code scanning tool for security.  Be warned that it takes a lot of work to filter out false positives.  OWASP did something with fortify and open source projects, but the links seem to be dead. https://www.owasp.org/index.php/Category:OWASP_Open_Review_Project.
• http://www.qualys.com/ Qualys: This scans a running web application to look for attack avenues such as open proxies, open forwarders, etc.  It does a decent job of classifying the probability that the discovered issue is a true issue.
• https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project  The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
• http://www.acunetix.com/ A very good web application security scanner.
  
• http://www.quotium.com : it's a web scanning tool which returns security problems and the related source code.
• https://www.ironbee.com/ - open source WAF  (replaces modsecurity? )
  
• http://bugcrowd.com/ - crowdsource security scans

Resources

• http://www.cgisecurity.com/owasp/html/
• http://www.spi.dod.mil/tenets.htm
• http://www.csoonline.com/slideshow/detail/80286#slide1

CAS inventory

• 3rd party vs custom code

CAS Hardening

• Securing Your New CAS Server

Threat Modeling

• CAS Threat Modeling

Vulnerability Response

• Vulnerability Response