| Current state of the app | Diana Antova/ Steven Maglio | Current Structure- GoGaucho app is published to the Apple store and Google play https://gogaucho.app/
- The development team is of students only, they registered an organization with Student Life, grew it to 20 people in the last several weeks from 6 people.
- Have 3 project managers, a marketing person and iOS, android and back-end developers.
- Use screen scraping to get to dining menus, and other info
- Requested access to APIs to replace screen scraping functionality
- Their road-map includes adding campus events, MTD real time bus map, registration Information, and other
- Steven and Diana are in conversation with AS and Public affairs about providing access to UCSB events.
- Technical challenge - they ask the students to login, get their password in clear text to log them to GOLD and screen scrape their schedule to display it.
- Meeting scheduled with campus officials to discuss their view point of this app.
|
| Options | Diana Antova/ Steven Maglio | Options- Do nothing
- Hire students and make the app sanctioned UCSB app
- Provide support to the students to make sure they don't violate security requirements and we support their growth in this app development.
- Seth - now they have full access to GOLD, we don't know what they are puling and what they are storing,
- We can find the IP address of heroku and see how it looks in GOLD
- If we can provide secure access in the future, we can
- Steven - work with legal council to make sure we have the boundaries established
- Shea gave us the go to experiment the google oauth system to provide a secure way to login users
- James - what is the timeframe to setup the google oauth?
- get access to heroku code
- put dates and timelines to fix issues
- Steven wil work on hisnext week
- Seth - vote to end this feed as a responsible data owner can't let it continue
- Josh - use of our trademark name
- Josh - if we support them, we have a potential of them updating data - we have full control of what APIs they have access, registrar approves access
- James - can we do a marketing push to make sure we are not seen as validating inappropriate use of student data, be proactive
- an article in the nexus
- we have plans to support you, we have to pull this functionality out to protect student data
- can we create a badge to be added to the app that tells students
- Josh - are we going to force them to do open source, code reviews?
- At what point, UCSB is liable if something goes wrong?
- Seth - IS3 - level 3 and up requires a code review by a lead developer
- Steven - the API gateway has the responsibility to review the app and approve the security,
- API team has language to do security review for anyone that requests API access
- Josh - the app is addressing an existing gap
- if we ask them to take it out and the message comes in nexus, it can be a PR issue
- Steven - they can go to associated students and get sponsorship for server funding
- A professor is now sponsoring their organization
- Josh - biggest concern - the data owner being OK with it, there is a language that says "by using this you are taking ownership and responsibility of a breach happens"
- Seth - main concern - we don't have visibility on what is happening on the heroku service, currently have access to a lot of information in GOLD, there is no way to control what they do. They can use these credentials for anything else on campus where students can login.
- We will have to provide a roadmap for providing them secure access
- Steven - we want to look for ways to support them and want to frame our conversations in this way
- The larger campus needs to be involved, not just SIST and Reg
- Josh - this will happen again, so taking the time to build the framework now, will pay off in the long run.
|
