[Jhs-leads] security meeting agenda

[Kirkpatrick, Ivan]

All Project Leads and Project Managers should be prepared to discuss the
following items in relation to their specific requirements.  We are =
gathering
requirements for access to the Integration Server (epic52).  Part of =
this
stems from projects that would like to Demo the applications prior to an
actual Production deployment.

I would appreciate advance comments or additions to this agenda.

Some of the issues to be discussed will include:

Access to port 80 http services.  This includes the JHS website and the =
Maven
generated project web sites.

Access to port 7778 deployed applications.  Note that access here will =
be via
SSO specifically for each application.  Developers must be aware of any
potentially sensitive data the application might expose during =
development.
This may or may not include log files which currently are available via =
port
8000? http://epic52.dep.state.fl.us:8000/app-logs/Log4JLogs/=20

Access to epic52 for SSH, CVS.  This is currently controlled by user =
accounts
on Integration.  This is what would be required to enable development
off-site.

Database access through the firewall ports and database servers already
opened.  This appears to require at least a formally maintained list?

Access Monitoring options.  This includes but may not be limited to user
account logging, file and directory permissions to the JHS ORACLE_HOME
directories and the current sudo access to maven and oracle accounts =
shell
scripts (i. e. build.sh and deploy.sh).

Intrusion detection and response.  I know of tripwire but perhaps there =
are
additional options I am not familiar with.

Permissions and access to any of the data-sources.xml files.  These =
files
contain user accounts for the OC4J deployed applications, a password and
database port and SID parameters.

Other issues?

Ivan S Kirkpatrick