Security/Reviews/ChicagoSummerLearning

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Item Reviewed

Chicago Summer of Learning Website (incl. aestimia and openbadger)
Target
   
     Full Query    
ID Summary Priority Status
879991 SecReview: Aestima -- RESOLVED
881706 SecReview: CSOL-site -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

The given value "
   
     Full Query    
ID Summary Priority Status
879991 SecReview: Aestima -- RESOLVED
881706 SecReview: CSOL-site -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

" contains strip markers and therefore it cannot be parsed sufficiently.

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

Q1: How do the three sites aestima, csol-site and badger v2 interplay? aestima <--(basic auth)--- csol-site ---(jwt signatures)-> openbadger (v2.0 branch) csol (main site): email handling via 3rd party (mandrill) http://mandrill.com/ http://mozilla.github.io/aestimia/#submission-create http://mozilla.github.io/aestimia/#schemas (onChange) A badge you can apply for: http://csol-aws.mofostaging.net/earn/vintage-animated-gif

What solutions/approaches were considered other than the proposed solution?

`

Why was this solution chosen?

`

Any security threats already considered in the design and why?

- auth in csol - file upload - xss - traffic between sites () - mysql (one single database for all data, including PII) - demo/ publicly available on production

Threat Brainstorming

'

  • Property "SecReview feature goal" (as page type) with input value "Q1: How do the three sites aestima, csol-site and badger v2 interplay?

    aestima openbadger (v2.0 branch) csol (main site): email handling via 3rd party (mandrill) http://mandrill.com/ http://mozilla.github.io/aestimia/#submission-create http://mozilla.github.io/aestimia/#schemas (onChange)

    A badge you can apply for: http://csol-aws.mofostaging.net/earn/vintage-animated-gif" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
  • Property "SecReview threats considered" (as page type) with input value "- auth in csol

    - file upload - xss - traffic between sites () - mysql (one single database for all data, including PII)

    - demo/ publicly available on production" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.

Action Items

Action Item Status In Progress
Release Target `
Action Items
* chris :: add persona-auth to demo/ :: xx