Apps/Security/Meeting-2012-04-06
From MozillaWiki
Attendees
- Michael Coates
- Mike Hanson
- Bill Walker
- James Straus
- Ragavan
- Chris Lee
- Ian Melven
Agenda
Flow of Security
- Who is driving security model creation - gap?
- Chris Jones
- Jim Straus
- Concerns from Mike Hanson that this isn't effective enough
- Need desktop, android, across whole webapi
- Mike believes security engineering / Lucas to lead the model
- Need to create
- What is the security bar/standard that we need across the board
- B2G has additional security considerations on top of the WebAPI security concerns
- Possible Work Flow
- Creation of Security Model - Security Engineering
- Development - Development Teams
- Threat Modeling, Verification - Security Assurance
Proposal from Mike Hansen
Each Friday:
- Work down the WebAPI list contained in the spreadsheet, from top to bottom
- For each item, fill out Lucas' template and get signoff from product that the use cases are understood by security
- Link for Lucas' template?
- Provide security requirements for building (Security Engineering & All)
- Identify security concerns that need additional consideration/research (Security Engineering & All)
- Continue until 2:00 and we run out of time. Moving quickly through the use cases would be wise.
Then:
- Security team (security assurance) has a week to fill out threats, severity, mitigations, authorization model, and describe implementation requirements
- Product team to signoff on that, and implementation to commence the next Friday. Sooner is okay, of course.
And we can cycle that, weekly?