2023-07-26 Security WG Meeting

 Date

Jul 26, 2023

 Participants

• @Phillip Shiu (Deactivated)

• @Feanil Patel

• @Alison Langston

 Goals

• Vision-casting: Where do we want to go in the future for proactive security work?

  • Areas

    • 1st-party dependency security upgrades

      • Maintenance Board

    • 3rd-party security upgrades

      • Maga is working on creating process in BTR for Django

    • Code

      • XSS linting on edx-platform

  • What are the top possible improvements?

    • 3rd-party security upgrades

    • Django security linters

      • https://github.com/vintasoftware/awesome-django-security#tools

    • Security checks before PR merge

      • https://github.com/PyCQA/bandit/tree/main

• How to deal with new reports that are duplicates of edX’s SWG backlog?

  • There’s a lot of value in keeping GHSA creation limited to actionable items to reduce noise.

  • It might be good to create a “common reports & responses” section in our private Confluence pages to make triage more efficient.

• Third-party/middlemen for security researchers

  • Let’s experiment with it by responding to their email using our normal responses.

 Action items