2019-10-16 Meeting notes

Owned by Mike Gorrell
Last updated: Oct 16, 2019
3 min read

Date

Attendees

Discussion items

TimeItemWhoNotes
10 minUpdate on DoDMark Veksler
  • Quick update: continuing to make (albeit slowly) progress on consolidating DoDs. had a few questions for TC: thoughts about adding these mandatory requirements to DoDs: 1) conduct testing in a multi-tenant environment (might require to have the community reference environment be setup with multi-tenant data) and 2) use ZAP to scan for OWASP top 10 security vulnerabilities?

1) Discussed the distinction between multi-tenant testing and simply testing in a multi-tenant environment. We've seen some modules run out of memory in a multi-tenant environment and/or have issues when adding new tenants. So, some problems will be visible more quickly. Definitely a need to assist teams/developers with an environment to test in. More discussion needed about what our requirements might be.

2) ZAP is a free/open source tool that is browser based that usually requires manual execution. Seems like there's a Sonar Cube plugin - also for Jenkins. Front-end only. General agreement that this is a good direction. More details to be nailed down.

5 minSecurity Audit

Mike Gorrell

  • Funding has been committed to by Leipzig but there are some procedural details to be worked out before we can engage NCC
10 minNew Assignment for Tech Council

Mike Gorrell

FOLIO Infrastructure Budget maintenance. Discussed how this new policy came to be. We'll pull people together to outline the process we will follow. One aspect will be to decide how much information can remain public versus what information needs to be private. Another point is it would be great to be able to tie actions to specific costs. Volunteers: Mike Gorrell Peter Murray Jakub Skoczen Tod Olson Mark Veksler - Mike to pull folks together.

Note - AWS has some credits/discounts for non-profits. Not for reserved instances though. Timing to change from On-Demand to Reserved Instances - Peter will make some changes soon but won't finish until a further analysis is done by some EBSCO resources.

10 minSecurity Policy Group Update 

Craig McNally

The group has met a few times and have a sort of outline for a document - still really high level. Before the next group meeting they are hoping to finalize the straw man (next Monday 10/21).
10 minUpdate on Debt-6TC
  1. Environment - Core Platform
  2. Defining the test scenarios (which tests, how many of each, what data is needed, how big a dataset, etc.) ← Likely community product owner-type
  3. Building the tests themselves - Core Functional ( ? )... some teams have created sets of Jmeter tests - these may be useful too. Would be helpful to leverage all teams to build these tests
  4. Collect and/or create data to be used - Mike and Tod to query Sys-Ops, potentially need to augment and/or curate additional data. Harry K might have a standard set of users
  5. Identifying which tools can be used to profile the application so that we can assess the results

Updates:

1) Mike started conversations with Jakub. There are a few environments that we can consider. Not urgent.

2)  No update. Expect update 10/30.

3) Essentially on-hold until we have use cases to evaluate. Note that we have a bunch of JMeter tests that might be useful.

4) Chicago can deliver bib data. We discussed the value/benefit of synthetic data for Holdings/Items/Users/Loans. The Core team has an item  FOLIO-2296 - Getting issue details... STATUS  to create some test data - which could overlap with this need.

5) Will have an update on 10/23

20 MinTech Debt updateTCMike to present an update to the Product Council on 10/24. Asking TC members to update items before next week's meeting.