/
Fall 2009 Day 2 - Security uP, Portlets (Code safely practices)

Fall 2009 Day 2 - Security uP, Portlets (Code safely practices)

Sept 29, 2009

Security uPortal 

No official policy now - could be fairly simple:

  1. Identify realistic vulnerabilities in the portal and portlets

    1. Open source - code is available to see and review

    2.  Widely used

  2. Identify ways to address, without creating new holes

  3. Process for donated code - review 

Security Concerns

  • SQL Injection

  •  XSS (Cross-site scripting)

  • CSERF 

Security Policy

  • Peer Review - small committed group

    • Eric D sees all posts of code*

  • Prepend Statements

  • Content Escaphy

  • Vulnerability Reporting Process (Jasig Security Listhost - publish to public, normally done after fix provided)

  • Point to OSWASP

  • Role definitions

  • Method to publish security reviews

  • Incubation process

    • CH feels like the process is too long already.

  • Developer Guideline document (committer access - agreement to process in future)

  • Disclaimer Statement (at bottom of policy) 

Results

  • Document Overview & Policy

  • Create method to publish security reviews

  • Incubation Process

  • Developer Guidelines 

Action Items

Jasig:

Document schools which have done a security audit

Share findings where possible - will show a level on conscientious within the community

Document overview and policy

Eric:

Create a Wiki Space

Tamra: 

Document policy with assistance from AT & ED

Alan:

Work with ED on scanning process

Related Wiki Pages

Security Information for Portlet Developers