Security/Reviews/esPrivate

From MozillaWiki
Jump to navigation Jump to search
Please use "Edit with form" above to edit this page.

Item Reviewed

Private Elastic Search
Target

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);

{{#set:SecReview name=Private Elastic Search

|SecReview target=

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);

}}

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

Part 3 of the Bugzilla ETL: This meeting is to deal with the specific issues of having bug metatdata (including security bugs) freely available on an ES cluster behind LDAP

This SecReview Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=943909

Architecture (same as before): https://bugzilla.mozilla.org/attachment.cgi?id=8337813

Summary of what is available on private bugs (pulled from Metrics' cluster): https://bugzilla.mozilla.org/attachment.cgi?id=8341163

Previous SecReview (public bugs only) https://wiki.mozilla.org/Security/Reviews/BZ_Elastic_Search

Overal Project About: https://wiki.mozilla.org/Auto-tools/Projects/PublicES

Code: https://github.com/klahnakoski/Bugzilla-ETL

Goal

   We want to deliver accurate aggregate numbers for overal project summaries.  https://metrics.mozilla.com/bugzilla-analysis/Security_Q1_Goal.html

What solutions/approaches were considered other than the proposed solution?

`

Why was this solution chosen?

Any security threats already considered in the design and why?

Threat Brainstorming

Whiteboards could have sensitive info

  • Legal bugs? (bug group and product)
  • HR?
  • Finance and "confidential"?
  • Dashboard results made public?
  • "visual" cue to not get the public/private mixed up
  • proxy in front of this instance
  • more exposure of security bugs (but low), medium increase in utility

{{#set: SecReview feature goal=Part 3 of the Bugzilla ETL: This meeting is to deal with the specific issues of having bug metatdata (including security bugs) freely available on an ES cluster behind LDAP

This SecReview Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=943909

Architecture (same as before): https://bugzilla.mozilla.org/attachment.cgi?id=8337813

Summary of what is available on private bugs (pulled from Metrics' cluster): https://bugzilla.mozilla.org/attachment.cgi?id=8341163

Previous SecReview (public bugs only) https://wiki.mozilla.org/Security/Reviews/BZ_Elastic_Search

Overal Project About: https://wiki.mozilla.org/Auto-tools/Projects/PublicES

Code: https://github.com/klahnakoski/Bugzilla-ETL

Goal

   We want to deliver accurate aggregate numbers for overal project summaries.  https://metrics.mozilla.com/bugzilla-analysis/Security_Q1_Goal.html

|SecReview alt solutions=' |SecReview solution chosen=* Private bugs ARE included.

|SecReview threats considered=* Private bugs ARE included.

|SecReview threat brainstorming=Whiteboards could have sensitive info

  • Legal bugs? (bug group and product)
  • HR?
  • Finance and "confidential"?
  • Dashboard results made public?
  • "visual" cue to not get the public/private mixed up
  • proxy in front of this instance
  • more exposure of security bugs (but low), medium increase in utility

}}

Action Items

Action Item Status In Progress
Release Target `
Action Items
* add "this is private" indicator
  • remove legal, hr, finance, confidential (and more?)
  • verify if legal product dominates all the confidential bugs

{{#set:|SecReview action item status=In Progress

|Feature version=` |SecReview action items=* add "this is private" indicator

  • remove legal, hr, finance, confidential (and more?)
  • verify if legal product dominates all the confidential bugs

}}

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/esPrivate&oldid=806759"