Hi Muthukumar, (adding dev@jspwiki.apache.org since the conversation may pick up some interest there - @dev: Muthukumar is the reporter of the last couple of disclosed vulnerabilities on JSPWiki)
AFAIK, Apache projects, as a whole, don't follow a given, common security practices' set, as each project development is totally independent from each other. They may be sinergies and/or collaborations, but they're different projects, with different paces, some are developed by individuals from different companies as their day job, others do not, each project has different practices, etc., so asking your questions to any given project will surely yield different answers. I'd say, regarding the topic of security, the only commonality is that all projects report quarterly to the ASF Board, and the Board ensures each project has enough oversight so the project doesn't go stale. Part of this oversight is ensuring that security vulnerability reports are dealed within a reasonable amount of time (and this may vary between projects). Other than that I'd think each project has its own community and its sets of practices. The typical process of vulnerabilty handling is described at https://www.apache.org/security/committers.html#vulnerability-handling, but again it may vary within each project. Focusing on JSPWiki, I'd say we don't have a strict set of rules / checklists, but most probably we are all doing more or less the same things: we make use of ASF Sonar's instance at https://builds.apache.org/analysis/overview?id=org.apache.jspwiki%3Ajspwiki-builder, we keep an eye on committed code, etc. I'd recently began to also look at Sonatype's OSSIndex tool to keep an eye on the project's dependencies, but that's done locally, before pushing code. Not sure if this answers your questions, if you're looking for a more-broad ASF projects' perspective you may want to ask at the Apache Incubator ( gene...@incubator.apache.org), or at Apache Community Development ( https://community.apache.org/newcomers/index.html, you can reach there at d...@community.apache.org), both will most surely give you more accurate answers from this perspective. If you'd like to ask more specifics about JSPWiki, please do follow up on this e-mail. Anyone else wanting to chime in, share his/her perspective, correct me, this would be like a perfect occasion to do so :-) best regards, juan pablo On Thu, Apr 11, 2019 at 9:13 AM Muthukumar Marikani < muthukumar.marik...@zohocorp.com> wrote: > Hi, > > Hope you are doing well, I am Muthukumar Marikani from ZOHO-CRM Security > Team. Recently we have reported some security issues in Apache-JSPWiki, and > have reported security issues in other Apache products as well. > > We are interested to understand more on what kind of security practices > you are following in your release process to ensure security of your > product's code. Like what types of security testing you will perform when > releasing new milestone/version/feature i.e, release process ? > > Can you kindly share those details with us ? , Thanks in advance > > > > Regards, > Muthukumar Marikani (unknown_person <https://twitter.com/unkn0wn_p3rson>) > ZOHO-CRM Security Team > >
