Security Manager Role
Axim-specific code will be move to new Axim GH org. This will let us make someone from Security WG a “Security manager” in GH, which gives read/write to all repos in the openedx GH org.
This gives Security WG folks more confidence to make changes as they won’t have scary admin powers.
Metrics in repo-health
GH private forks
Named release security notifications
Batched pip updates
GH actions updates can be individual b/c they’re less common
We like batching pip updates because they happen so often
Can we get the pip updates to tell us which updates are security updates?
Dependabot best practices
Does the WG have folks outside Axim & 2U?
Not until now – Maria!
The group is working on expanding. Maybe the “invite only” thing scared people off. We’ll need to reach out reach out to people.
Phil was hoping Security WG would be a symposium of security organization – every operator has security concerns, and ideally we would all being collaborating to keep each other’s sites secure.
Ideas: vulnerability hunt, book club
Lots of interest in CVSS scoring - maybe a game here (“guess the score by the email”)
What level of experience is the WG looking for?
Probably willing to take folks who are new to security and grow them into the role.
“The training doesn’t have to be secret” – as the group teaches new members, those exercises can be public so anyone can follow along.
Only really a specific part of the group’s work needs to be private.
Multiple current WG members started with little/no experience. We don’t want to intimate folks out of the group
More education on what the group does