From 07599db1164cc47df51538cdc36b2a92457e7705 Mon Sep 17 00:00:00 2001 From: Martin Emde Date: Mon, 30 Sep 2024 16:32:14 -0700 Subject: [PATCH] Ruby Central: Update September 2024 Signed-off-by: Martin Emde --- alpha/engagements/2024/RubyCentral/README.md | 2 + .../2024/RubyCentral/update-2024-09.md | 43 +++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 alpha/engagements/2024/RubyCentral/update-2024-09.md diff --git a/alpha/engagements/2024/RubyCentral/README.md b/alpha/engagements/2024/RubyCentral/README.md index 0d4711f8..2a5abfee 100644 --- a/alpha/engagements/2024/RubyCentral/README.md +++ b/alpha/engagements/2024/RubyCentral/README.md @@ -17,6 +17,8 @@ This engagement started in February 2024. * [May 2024](update-2024-05.md) * [June 2024](update-2024-06.md) * [July 2024](update-2024-07.md) +* [August 2024](update-2024-08.md) +* [September 2024](update-2024-09.md) ### Primary Contacts diff --git a/alpha/engagements/2024/RubyCentral/update-2024-09.md b/alpha/engagements/2024/RubyCentral/update-2024-09.md new file mode 100644 index 00000000..b2d283e1 --- /dev/null +++ b/alpha/engagements/2024/RubyCentral/update-2024-09.md @@ -0,0 +1,43 @@ +# Update 2024-09 + +## Organizations + +We are making steady progress and continue to aim for the end of November to have the feature ready for users. + +### Maintainer Role + +* Maintainer role code is ready to merge pending documentation for using the featuer. +* We will publish the feature along with the documentation when both are ready. + +### Organizations + +* The onboarding model, supporting a user to create an organization, is in progress. +* As we work on implementing the details of the onboarding process, we are working through some of the implications of the design. +* The organization designs are partially implemented on the site. +* The organization designs incorporate our new design templates and add highly requested features like dark mode and an improved user interface that highlights more important information. +* We will begin rolling out the new design template with the organizations feature. + +### Next steps: + +* Finish the pages for viewing an organization. +* Continue work on the onboarding process and ability to edit and manage the organization. +* Start adding test users once the permission system and organization pages are ready. + +## Audit + +The audit is completed and the draft report was delivered September 9th, 2024. + +* We have reviewed the report with the Trail of Bits team. +* The report details 33 findings, mostly low severity or informational. +* 7 findings were considered medium severity, and 1 finding was labeled high severity. +* Samuel and the rest of the team have taken the findings and are responding with fixes and/or explanations that explain why a fix is not necessary. + +One important finding of this audit is that our effort to continue to convert our infrastructure to Terraform would pay large dividends in security. +However, this project is a large undertaking that will require a larger monetary and time investment above and beyond the baseline maintenance supported by our current funding. + +### Next steps: + +* Addressable security concerns will be remediated and fixes deployed. +* A response document is being drafted that responds to each finding. +* When we are ready to mark each of the items as complete, we will contract with ToB for a further fix review. +* After the fix review is incorporated into the report, we will coordinate with ToB to publish the report.