2023-07-26 Security WG Meeting

 Date

Jul 26, 2023

 Participants

• @Phillip Shiu (Deactivated)

• @Feanil Patel

• @Alison Langston (Deactivated)

 Goals

• Vision-casting: Where do we want to go in the future for proactive security work?

  • Areas

    • 1st-party dependency security upgrades

      • Maintenance Board

    • 3rd-party security upgrades

      • Maga is working on creating process in BTR for Django

    • Code

      • XSS linting on edx-platform

  • What are the top possible improvements?

    • 3rd-party security upgrades

    • Django security linters

      • GitHub - vintasoftware/awesome-django-security: A collection of Django security-related tools and libs.

    • Security checks before PR merge

      • GitHub - PyCQA/bandit: Bandit is a tool designed to find common security issues in Python code.

• How to deal with new reports that are duplicates of edX’s SWG backlog?

  • There’s a lot of value in keeping GHSA creation limited to actionable items to reduce noise.

  • It might be good to create a “common reports & responses” section in our private Confluence pages to make triage more efficient.

• Third-party/middlemen for security researchers

  • Let’s experiment with it by responding to their email using our normal responses.

 Action items

For next time: Consider security.txt