Add 2023-03-07 meeting notes

rcthomas · web-flow · commit d9c0169edfc7 · 2023-03-07T09:06:28.000-08:00
* New member Joe Lucas
* TrustedCI summit training / workshop opportunity
* Intigriti update
* Next steps in vulnerability mgmt
diff --git a/meetings/2023-03-07.md b/meetings/2023-03-07.md
@@ -0,0 +1,65 @@
+# Jupyter Security Bi-weekly Meeting
+
+## March 7, 2023
+
+| Name               | affiliation| username         |
+| -------------------| -----------| -----------------|
+| Jason Weill        | AWS        | @JasonWeill      |
+| Joe Lucas          | NVIDIA     | @josephtlucas    |
+| Rollin Thomas      | NERSC      | @rcthomas        |
+| Jason Grout        | Databricks | @jasongrout      |
+| Rick Wagner        | UCSD       | @rpwagner        |
+
+* Jason W: Add Joe Lucas to Security Council (https://github.com/jupyter/security/pull/56) — also added to Google Group
+* Rollin: TrustedCI Summit October 2023, opportunity for Jupyter security training and workshop
+    * Met with the 2 leads from [TrustedCI](https://www.trustedci.org/about) (NSF Center of Excellence for Cybersecurity)
+        * Supports major NSF facilities that deploy infrastructure for research
+        * TrustedCI hosts an annual cybersecurity summit
+        * E.g. a few years ago, Rick and Matthias gave a security training on Jupyter there
+    * Discussion was some kind of Jupyter-focused workshop/activity at 2023 event (October)
+        * Could be an opportunity to update the Jupyter security training tutorial (1/2 day)
+            * Rick would update this, he also gave the same tutorial at the same conference before with Matthias
+            * Rick will get started on this sooner rather than later
+        * Then, a 1/2 day or full day Jupyter security workshop
+            * Potential for overlap with some other cohosted workshops
+            * E.g. [Zeek](https://zeek.org/) workshop: Monitoring and instrumenting Jupyter to work w/Zeek?
+        * Questions:
+            * Is the security council broadly in favor of pursuing a workshop? **Answer: Yes**
+            * Participants (Berkeley location is "central")?
+            * What gaps are there in funding for the logistics?
+            * When is TrustedCI going to put up website, etc? => sooner helps people get approvals
+            * Industry partners (Anaconda, AWS, NVIDIA, ...): 2 for 1?  Send a person and seed a scholarship?
+* Jason G: Intigriti
+    * Had meeting w/Charlotte De Vleeschouwer, Customer Success Manager, on Feb. 23
+    * Discussed scope of the program
+    * Scope was larger than Intigriti expected
+    * Wanted to start with jupyter-server, JupyterLab, JupyterHub
+        * Start small and iterate
+        * Enlarge scope a little more if that works
+    * Program created, three groups
+        * One for each w/a contact
+        * Each group can have multiple packages
+    * Wants another call w/POCs for each to kick off
+    * Jason to close the loop w/other projects that won't be included in first round and help set up this kickoff meeting
+* Rick: What do we want people looking at?
+    * Example: Recent git CLI vulnerabilities
+        * Git is provided in Docker images
+        * Should we have advised people to ensure Git was updated?
+        * Not Jupyter-specific code, but part of the "packaging"
+        * Should that figure into the vulnerability reporting process?
+    * With respect to conda and PyPI what is the dependency chain?
+        * What other repos are important?
+        * Install instructions based on meta-packages or "top" packages that get installed?
+        * Older packages and repos?  Maybe recommend dependabot is working for all these
+        * What leverages GitHub automation to get a handle on all the packages?
+        * Next policy recommendation would be something like:
+            * Be running dependabot wherever we can
+            * Here are the list of packages of greatest concern/interest
+        * Node-based stuff?
+            * Do the npm repos have 2FA, etc.
+            * PyPI likewise
+    * Security sprints?
+    * Maybe start with dependency graphing
+    * Example open source vuln management policies
+        * https://github.com/ossf/oss-vulnerability-guide
+        * https://about.gitlab.com/handbook/security/security-engineering/application-security/vulnerability-management.html
