Security Policy

Owned by Eric Dalquist
Last updated: Oct 02, 2009 by Alan TakaokaVersion comment
2 min read

This page is a working draft to document the general Jasig security policies and practices.

Purpose/Overview

The purpose of this security policy is to create transparency regarding Jasig's code security processes by illustrating the code submission/approval process, showing how vulnerabilities are identified and addressed, and identifying applicable security concerns within various Jasig projects.

Governance (Process)

Jasig provides a community of developers, committers, with a framework for code submission and review.  Committers are strongly encouraged to follow the Developer Guidelines for Security. Additionally, each of Jasig's projects lead developer which reviews code submissions by developers (process outline?) after submission to ensure adherence to security standards.

There is a trust amoung committers (link to becoming a committer?) - developers submissions (JIRA) are reviewed.  Governance. 


Assurance that committer process is vetted - link to Apache project roles or copy (committer role).  Modeled after Apache process.  apache.org - how it works (look at what we may want to borrow from there)  project roles (Jasig:  users, developers, committers, steering committee members and chair). 
 

General OWASP Top Ten info here  ???? - go through top 10  (where applicable)  

  1. Cross site scripting
  2. SQL injections
  3. Indirect object reference - synthetic keys (user 8 tries to view user 9 - doesn't work)  All uPortal channels perform an authorization check
  4. CSERF- follow a request redirect approach - every request has to validate and then an action redirect.  Data leak protection is almost impossible - javascript sandboxing.
  5.  

Vulnerability Reporting Process

Define process here...

See main wiki page contact info - http://www.ja-sig.org/wiki/display/JSG/Security+Contact+Group\\


Projects

  • uPortal
    • reference to "becoming a uPortal committer" (on wiki) ???
    • uPortal Framework
      • why OWASP 3,8,9 don't apply
    • Bundled Portlets - just fall under governance?
    • Other Jasig Portlets - just fall under governance?
    • Custom Portlets (writing your own)  - disclaimer regarding home grown portlets  (uPortal always sends back only the attributes for the specific porltets which should have access).  Portlets don't have access to the portal's attributes unless it is specifically put into that portlet. But they are just web apps on your server.
  • CA
    • why OWASP 3, 8 don't apply

Outside Security Efforts

The nature of the open source community requires input and assistance from various users throughout the community. Here is a list of security efforts made by users of Jasig projects who were willing to share their findings

** If you have done security related work on any Jasig project we would love to hear about it. **  (instructions here)

  • List of other's security efforts
 

References

*** Disclaimer ***

John Lews to write.