Skip to end of metadata
Go to start of metadata

Charter

The CAS Application Security Working Group is a group to work on the security of the CAS application.  We

  • proactively work to improve the security of CAS, focusing on the Apereo CAS server, the protocol, and various CAS clients
  • respond to potential vulnerabilities.  We create, maintain, and execute on vulnerability triage and notification policy, fielding handoffs from the Jasig Security Contact Working Group and otherwise.  We issue vulnerability reports and work to coordinate workarounds and fix responses to security concerns that arise.
  • produce artifacts that help potential CAS adopters to evaluate the security of CAS both as open source product and as they intend to locally implement the product.  This includes threat modeling, data flow diagrams, etc.
  • We create and maintain recommendations on good practices for CAS implementation around hardening, configuration, failing safe, security by default, etc.

Working Group Members

Mailing Lists

  • cas-appsec-public - public lists for general discussion, coordination, and collaboration.
  • cas-appsec-private - private list for discussing potential vulnerabilities, analysis of reported vulnerabilities, and other on-going work

Meeting Minutes

Action Items

JIRA Project: CAWG

Loading

Action Items (5 issues)

Tools

Resources

CAS inventory

CAS Hardening

Threat Modeling

Vulnerability Response

 

  • No labels

1 Comment

  1. I agree with the charter for the most part but I think this is up for debate: 

    "respond to potential vulnerabilities.  We create, maintain, and execute on vulnerability triage and notification policy, fielding handoffs from the Jasig Security Contact Working Group and otherwise.  We issue vulnerability reports and work to coordinate workarounds and fix responses to security concerns that arise."

    Everything else the charter contains is value-add to project.  This particular item is claiming responsibility for something that informally has a process in place already (or maybe its formal, just not well known)