2023-03-31 Security WG Meeting

Security Manager Role

@Feanil Patel

• Axim-specific code will be move to new Axim GH org. This will let us make someone from Security WG a “Security manager” in GH, which gives read/write to all repos in the openedx GH org.

• This gives Security WG folks more confidence to make changes as they won’t have scary admin powers.

Metrics in repo-health

@Jeremy Bowman (Deactivated)

• edx.org is adding dependabot metrics repo-health. This is work done by @Nicholas Moy (Deactivated) in fix: add check for dependabot alert counts by ohnickmoy · Pull Request #357 · openedx/edx-repo-health.

• @Alison Langston (Deactivated) is working on drafting a ticket to get this into the dashboard.

GH private forks

@Feanil Patel

• edx.org may still use the private patch process but it shouldn’t interrupt the community.

Named release security notifications

@Jeremy Bowman (Deactivated)

• How to get notified about security issues for named release branches?

• This is something we can do – we’ll need to set up Dependabot to notify us for certain branches (openedx-release/<latest>.master)

Batched pip updates

@Feanil Patel

• GH actions updates can be individual b/c they’re less common

• We like batching pip updates because they happen so often

• Can we get the pip updates to tell us which updates are security updates?

  • Use case: we want to treat security updates higher priority than our normal pile of pitch version patches

Dependabot best practices

@Feanil Patel

• We need to invest more in dependabot in how we want to use it & document the best practices

New members

@Kyle McCormick

• Does the WG have folks outside Axim & 2U?

• Not until now – Maria!

• The group is working on expanding. Maybe the “invite only” thing scared people off. We’ll need to reach out reach out to people.

• Phil was hoping Security WG would be a symposium of security organization – every operator has security concerns, and ideally we would all being collaborating to keep each other’s sites secure.

• Ideas: vulnerability hunt, book club

• Lots of interest in CVSS scoring - maybe a game here (“guess the score by the email”)

• What level of experience is the WG looking for?

  • Probably willing to take folks who are new to security and grow them into the role.

  • “The training doesn’t have to be secret” – as the group teaches new members, those exercises can be public so anyone can follow along.

  • Only really a specific part of the group’s work needs to be private.

  • Multiple current WG members started with little/no experience. We don’t want to intimate folks out of the group

• Online meetup

• More education on what the group does

• Games

  • CVSS scoring