Security/Reviews/ChicagoSummerLearning

Item Reviewed

   

     Full Query    
   

{{#set:SecReview name=Chicago Summer of Learning Website (incl. aestimia and openbadger)

|SecReview target=

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

}}

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

Q1: How do the three sites aestima, csol-site and badger v2 interplay? aestima <--(basic auth)--- csol-site ---(jwt signatures)-> openbadger (v2.0 branch) csol (main site): email handling via 3rd party (mandrill) http://mandrill.com/ http://mozilla.github.io/aestimia/#submission-create http://mozilla.github.io/aestimia/#schemas (onChange) A badge you can apply for: http://csol-aws.mofostaging.net/earn/vintage-animated-gif

What solutions/approaches were considered other than the proposed solution?

`

Why was this solution chosen?

`

Any security threats already considered in the design and why?

- auth in csol - file upload - xss - traffic between sites () - mysql (one single database for all data, including PII) - demo/ publicly available on production

Threat Brainstorming

' {{#set: SecReview feature goal=Q1: How do the three sites aestima, csol-site and badger v2 interplay? aestima <--(basic auth)--- csol-site ---(jwt signatures)-> openbadger (v2.0 branch) csol (main site): email handling via 3rd party (mandrill) http://mandrill.com/ http://mozilla.github.io/aestimia/#submission-create http://mozilla.github.io/aestimia/#schemas (onChange) A badge you can apply for: http://csol-aws.mofostaging.net/earn/vintage-animated-gif |SecReview alt solutions=' |SecReview solution chosen=' |SecReview threats considered=- auth in csol - file upload - xss - traffic between sites () - mysql (one single database for all data, including PII) - demo/ publicly available on production |SecReview threat brainstorming=' }}

Action Items

{{#set:|SecReview action item status=In Progress

|Feature version=` |SecReview action items=* chris :: add persona-auth to demo/ :: xx }}