Security/Reviews/ReleaseKickOffSys

From MozillaWiki
Jump to navigation Jump to search
Please use "Edit with form" above to edit this page.

Item Reviewed

Release Kickof System
Target 
   
     Full Query
ID Summary Priority Status
763929 tracking bug for initial implementation + deployment of release kickoff and release runner P3 RESOLVED
810472 security review of release kickoff system -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

http://rail:isawesome@dev-master01.build.scl1.mozilla.com:5000

http://git.mozilla.org/?p=build/release-kickoff.git;a=summary

{{#set:SecReview name=Release Kickof System

|SecReview target=

Full Query
ID Summary Priority Status
763929 tracking bug for initial implementation + deployment of release kickoff and release runner P3 RESOLVED
810472 security review of release kickoff system -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

http://rail:isawesome@dev-master01.build.scl1.mozilla.com:5000 http://git.mozilla.org/?p=build/release-kickoff.git;a=summary }}

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • This is currently done manually, this project is meant to automate the tasks for release automation
    • builds Firefox, Fennec, Thunderbird
  • webapp behind a vpn
  • submit information to start a new release
  • gathers info, bumps things, does all the build stuff and checks and starts the release
  • should only be acessable by RelEng (for now)

What solutions/approaches were considered other than the proposed solution?

  • cont to be a manual solution

Why was this solution chosen?

`

Any security threats already considered in the design and why?

  • regular web security issues (CSRF considered)
  • authentication - moving to LDAP based authentication using apache (new LDAP group ?)

Threat Brainstorming

  • remote code execution
  • cover off on web security

{{#set: SecReview feature goal=* This is currently done manually, this project is meant to automate the tasks for release automation

    • builds Firefox, Fennec, Thunderbird
  • webapp behind a vpn
  • submit information to start a new release
  • gathers info, bumps things, does all the build stuff and checks and starts the release
  • should only be acessable by RelEng (for now)

|SecReview alt solutions=* cont to be a manual solution |SecReview solution chosen=' |SecReview threats considered=* regular web security issues (CSRF considered)

  • authentication - moving to LDAP based authentication using apache (new LDAP group ?)

|SecReview threat brainstorming=* remote code execution

  • cover off on web security

}}

Action Items

Action Item Status In Progress
Release Target `
Action Items 
   
     Full Query
ID Summary Priority Status
812230 SecReview Item: Review WebAppSec Secure coding checklist -- RESOLVED
812232 SecReview Item: Log Retention review -- RESOLVED
812234 SecReview Item: Test release kickoff system -- RESOLVED

3 Total; 0 Open (0%); 3 Resolved (100%); 0 Verified (0%);

{{#set:|SecReview action item status=In Progress

|Feature version=`

|SecReview action items=

Full Query
ID Summary Priority Status
812230 SecReview Item: Review WebAppSec Secure coding checklist -- RESOLVED
812232 SecReview Item: Log Retention review -- RESOLVED
812234 SecReview Item: Test release kickoff system -- RESOLVED

3 Total; 0 Open (0%); 3 Resolved (100%); 0 Verified (0%);

}}

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/ReleaseKickOffSys&oldid=491602"