Fall 2009 Day 2 - Security uP, Portlets (Code safely practices)
Security uPortal
No official policy now - could be fairly simple:
- Identify realistic vulnerabilities in the portal and portlets
- Open source - code is available to see and review
- Widely used
- Identify ways to address, without creating new holes
- Process for donated code - review
Security Concerns
- SQL Injection
- XSS (Cross-site scripting)
- CSERF
Security Policy
- Peer Review - small committed group
- Eric D sees all posts of code*
- Prepend Statements
- Content Escaphy
- Vulnerability Reporting Process (Jasig Security Listhost - publish to public, normally done after fix provided)
- Point to OSWASP
- Role definitions
- Method to publish security reviews
- Incubation process
- CH feels like the process is too long already.
- Developer Guideline document (committer access - agreement to process in future)
- Disclaimer Statement (at bottom of policy)
Results
- Document Overview & Policy
- Create method to publish security reviews
- Incubation Process
- Developer Guidelines
Action Items
Jasig:
Document schools which have done a security audit
Share findings where possible - will show a level on conscientious within the community
Document overview and policy
Eric:
Create a Wiki Space
Tamra:
Document policy with assistance from AT & ED
Alan:
Work with ED on scanning process
Related Wiki Pages
, multiple selections available,