State of the Security Working Group (March 2023)

Introduction

The Security working group is responsible for advising on security and providing security-scoring-as-a-service for maintainers.  Our group’s guiding principles can be found in OEP-60 which outlines the security process and the general responsibilities of the working group.

 

Consider this report as a compilation of what we’ve done over the past year, what we’re looking at doing in the next 6 months, and a wider vision of the group’s future beyond that.

 

Accomplishments

Over the past year, our major accomplishments were:

 

  • Jan 2023,  The security process OEP was accepted and the working group was established.

  • Feb 2023 - March 2023, The working group has begun building out a backlog of tasks

    • Most of the tasks currently cover transition work to transfer responsibilities that 2U previously maintained.

    • Improve security related processes, especially around major package upgrades and maintainer responsibilities.

 

Further, we’ve made significant progress on the following initiatives:

 

  • Establishing a public Open edX security policy

 

We continue to engage in a set of ongoing tasks; these tasks are work we need to be sure we’re doing on a regular basis, but we don’t want to lose sight of their importance. Those tasks are:

 

  • Triaging any incoming security vulnerability reports.

  • Advising and providing just-in-time security support.

 

Concrete Plans - Next 6 Months

Over the next six months, the Security working group has some really exciting work queued up. 

 

  • We’ll complete the transition from the 2U Security Working Group as the primary contact to the Open edX Security Working Group as the primary contact for security related issues. This will include:

    • Establishing security policies.

    • Establishing and documenting new processes for Maintainers

    • Updating documentation across the Open edX Project with the most up-to-date security information.

  • Working with BTR/Arbi-BOM to establish a well defined process to handle Django patch and security updates. 

Links