2023-07-26 Meeting notes 1

\uD83D\uDDD3 Date

26 Jul 2023

\uD83D\uDC65 Participants

• Phillip Shiu (Deactivated)

• Feanil Patel

• Alison Langston

\uD83E\uDD45 Goals

• Vision-casting: Where do we want to go in the future for proactive security work?

  • Areas

    • 1st-party dependency security upgrades

      • Maintenance Board

    • 3rd-party security upgrades

      • Maga is working on creating process in BTR for Django

    • Code

      • XSS linting on edx-platform

  • What are the top possible improvements?

    • 3rd-party security upgrades

    • Django security linters

      • https://github.com/vintasoftware/awesome-django-security#tools

    • Security checks before PR merge

      • https://github.com/PyCQA/bandit/tree/main

• How to deal with new reports that are duplicates of edX’s SWG backlog?

  • There’s a lot of value in keeping GHSA creation limited to actionable items to reduce noise.

  • It might be good to create a “common reports & responses” section in our private Confluence pages to make triage more efficient.

• Third-party/middlemen for security researchers

  • Let’s experiment with it by responding to their email using our normal responses.

✅ Action items

• For next time: Consider https://securitytxt.org/