2023-03-31 Security WG Meeting


Mar 31, 2023

Working Group in-person meeting at the Open edX Conference


  • @Feanil Patel @Phillip Shiu (Deactivated)@Robert Raposa @Alison Langston @Jeremy Bowman (Deactivated) Maria (eduNEXT)@Kyle McCormick Bruno (UTEC)



 Discussion topics







Security Manager Role

@Feanil Patel

  • Axim-specific code will be move to new Axim GH org. This will let us make someone from Security WG a “Security manager” in GH, which gives read/write to all repos in the openedx GH org.

  • This gives Security WG folks more confidence to make changes as they won’t have scary admin powers.

Metrics in repo-health

@Jeremy Bowman (Deactivated)

GH private forks

@Feanil Patel

  • edx.org may still use the private patch process but it shouldn’t interrupt the community.

Named release security notifications

@Jeremy Bowman (Deactivated)

  • How to get notified about security issues for named release branches?

  • This is something we can do – we’ll need to set up Dependabot to notify us for certain branches (openedx-release/<latest>.master)

Batched pip updates

@Feanil Patel

  • GH actions updates can be individual b/c they’re less common

  • We like batching pip updates because they happen so often

  • Can we get the pip updates to tell us which updates are security updates?

    • Use case: we want to treat security updates higher priority than our normal pile of pitch version patches

Dependabot best practices

@Feanil Patel

  • We need to invest more in dependabot in how we want to use it & document the best practices

New members

@Kyle McCormick

  • Does the WG have folks outside Axim & 2U?

  • Not until now – Maria!

  • The group is working on expanding. Maybe the “invite only” thing scared people off. We’ll need to reach out reach out to people.

  • Phil was hoping Security WG would be a symposium of security organization – every operator has security concerns, and ideally we would all being collaborating to keep each other’s sites secure.

  • Ideas: vulnerability hunt, book club

  • Lots of interest in CVSS scoring - maybe a game here (“guess the score by the email”)

  • What level of experience is the WG looking for?

    • Probably willing to take folks who are new to security and grow them into the role.

    • “The training doesn’t have to be secret” – as the group teaches new members, those exercises can be public so anyone can follow along.

    • Only really a specific part of the group’s work needs to be private.

    • Multiple current WG members started with little/no experience. We don’t want to intimate folks out of the group

  • Online meetup

  • More education on what the group does

  • Games

    • CVSS scoring




 Action items