Website update

[Andrew van der Stock]

Hi all,

A fair bit has been happening this and last week. Firstly, thank you to Sam for conducting a static code analysis of the source code. We've taken those findings and put them into Monday.com and provided Antimatter with the reports so they can fix them. 

We had a productive meeting today with Antimatter, Christian, myself, Zoe and Jon McCoy to go through the findings, prioritization, and discuss how to remediate the issues. They will be concentrating on the critical and high risk findings first. Some of the findings are low or no risk because they are not deployed to production (such as a migration SQL script, which has to do what it does but is not used by anyone but the developers pushing schema updates, which is a once-off affair). 

Antimatter will work on the code this week. We will have a meeting on late Friday US time (Saturday my time) to review progress. I will review the code for changes to see if the issues have been closed from a source-code-review perspective, but once all the fixes are in, we will get it fully penetration-tested with these reports to make sure the issues are remediated effectively. 

I've been in discussions with FortiGate to provide a quote for a full penetration test. They've asked for test accounts to fully scope the test, which is in progress. I will not start the test until enough of the static code analysis fixes are in place. 

Once the fixes are in place and the penetration test is complete, we will proceed to go live. 

thanks,

Andrew van der Stock
Distinguished Lifetime Member

Executive Director, OWASP

+1 510 697 9315

[Andrew van der Stock]

Hi Board

In this week's update, Christian and I met several times with the website developers, who have deployed fixes for the vast majority of the issues. I feel that at this stage, there are no more features to build or secure, so it's primarily about completing security testing and ensuring the content is up to date. 

I've started the process of engaging a CREST-certified penetration testing firm. I will be giving them all the previous results to re-test and instructions to try to find any additional issues. 

The major issues between us and go-live:

- We need Chapter leaders to update their pages with the latest meeting information, but this shouldn't stop us from going live. It took more than three years for the current system to be updated in earnest by all chapters. 

- Due to the potential for clear-text storage of credentials in the past, I will be asking for a complete secret and password rotation once we have finalized the penetration testing.

- We need all projects, events, Board meetings, policies, and finance contents to be ported across 

- We need to review that all archived projects and chapters are excluded in the go-live

In related news, Harold has been processing chapter tickets. This likely means that some leaders on the new website should not be. We will catch up with those as time goes on.

thanks,

Andrew