Zoom link: https://us02web.zoom.us/j/968367412

Host key can be found in the description of the TAG Slack channel.

Attending:

• Willow Gillingham
• Amy Blau
• Luke Taylor
• Don Richards
• Isabella Nikolaidis

Agenda

• Security Workflow
  • possibly opening TAG channel to emails

Interest Group Updates

Islandora Events

Action Items

• Who is a part of the security group?
• Update https://github.com/islandora-interest-groups/Islandora-Security-Interest-Group/wiki/Disclosure-Policy
  • This needs to go somewhere else more front-facing

Meeting Minutes

• Security Workflow

  • Luke: Due to the nature of it, didn't feel it was appropriate to post publicly anywhere
  • When security issues come up there needs to be some sort of back channel to get a plan together so it can be released in a way where we have fix, fix merged, advisory put together
  • Once upon a time there was a security email - should we revive that and have a policy to say that if you have a security issues or vulnerabilities and you'd like to bring it to the foudnation's email here
  • Don: We have a disclosure process but the documentation for it is in an interest group that is no longer
  • https://github.com/islandora-interest-groups/Islandora-Security-Interest-Group/wiki/Disclosure-Policy
  • Private message in tag channel or those reviewing the fix

• The only time google groups is brought in is when the fix is published

• Luke: Security announcement needs to be where CoC or procedures are

  • Put a posting up on slack saying here's where it is

• Luke, Don volunteers to be a part of this security response

  • Someone from Born-digital might be interested as well - Gavin?

• Luke: To the TAG group?

  • Don: not all people in security response were available to be in tag

• #security-response channel is open/public

• Amy: Helpful to add a google form for security reports?

  • make sure submissions aren't viewable publicly

• Luke: What types of CI/CD testing we're running on Islandora proper? There are Drupal testing tools that likely could have caught the previous

  • Drupal sniffs

• Willow: Is this php pcs? It's a great utility to make your tool or make your code have dependency injections, standardized drupal requirements?

  • You could activate specific standards, ex. Drupal would be one of them

• Luke: What CI/CD is already in place?

• Luke: Github action that kicks off or spins a ocntainer that runs codesniffer?

• Don: Ultimately does pull you over to actions - security or actions takes you to actions - then under the Actions list is Security

Where should security contact email be listed?

• Willow: On Drupal site, module installs, info file for the dependencies
  • Link to our security page/directions once moved
• Luke: Link in footer of islandora.ca
• Don: The process for submitting a ticket - to prevent people accidentally reporting security breach - add a new template to report security vulnerability - do not report! Go [here] instead ...
• Luke: https://www.islandora.ca/contact-us#comms-channels