2013-04-16 CAS AppSec Working Group Call
- William G. Thompson, Jr.
- Jim Helwig
2013-04-16 CAS AppSec Working Group Call
Meeting Details
Tuesday, April 16, 2013. 14:00 - 15:00 US - Eastern (GMT -04:00)
TurboBridge Conference ID: 11235#
Main Access: +1-480-297-0005 (preferred if you don't pay for long distance by the minute)
Toll-Free Access: +1-800-309-2350
International numbers: http://turbobridge.com/international.html
Additional US Local numbers: http://turbobridge.com/local_toll.html
Options & Commands: http://www.turbobridge.com/join.html
SIP Access: sip:bridge@turbobridge.com
Participants
Agenda
- Review/Approve Meeting Minutes
- Review Action Items
- Open Discussion
Meeting Notes
Discussed and approved request to add Marvin and Scott to cas-appsec-private and proposed policy around membership.
CAWG-5
Custom OAuth code to be swapped out for Spring Security OAuth support. SAML remediation on hold.
CAWG-2
Jasig infrastructure not available for dynamic code scans. Bill will pursue free AWS instance. Jerome will pursue free hosting for open source projects. In the meantime Aaron will setup a local test bed.
CAWG-4
Aaron will triage static scan report after setting up local test bed.
CAWG-6
Starting reviewing additional DFD diagrams added by Jérôme on CAS Threat Modeling.
Decided on using open source DIA as a tool and format for DFD work.
Review of DFD of CAS tickets storage:
- replication traffic needs to be protected. secure by default
- add what type of data is being replicated
- add another CAS server to illustrate multi-node server
- hash TGT Ids in transit and rest (memory, db, file)?
Next call will be via EMC webex. David will setup and share coordinates on list.
Action Items