Security/Reviews/Identity: Difference between revisions

Jump to navigation Jump to search

Security/Reviews/Identity (view source)

Revision as of 22:31, 13 July 2011

2,880 bytes added ,  13 July 2011
no edit summary
No edit summary
No edit summary
Line 8: Line 8:
|-
|-
| Stage
| Stage
| -
| Definition
|-
|-
| Status
| Status
| -
| Red (Green, Yellow, Red?)
|-
|-
| Release Target
| Release Target
| -
| Live
|-
|-
| Health
| Health
Line 20: Line 20:
|-
|-
| Status Note
| Status Note
| -
| Demo is live, secreview is underway
|}
|}


Line 66: Line 66:
== Stage 1: Definition ==
== Stage 1: Definition ==


=== 1.1 Use Cases ===
=== Introduction ===
Include brief summary of feature/project, and link back to core feature/product pages.
 
=== Use Cases ===


=== 1.2 Data Flows ===
=== Data Flows ===


=== 1.3 Architecture Diagram ===
=== Architecture Diagram ===


== Stage 2: Design ==
== Stage 2: Design ==
=== Threat Model ===
Upload threat model diagram
Include links to relevant files, etc, here.
=== Business Test Cases ===
Document application specific test cases here
== Stage 3: Planning ==
== Stage 3: Planning ==
=== Application Security Requirements ===
Document individual requirements for the application here (e.g. CEF logging, captcha, etc)
=== Operation Security Requirements ===
Document network/platform security requirements here (e.g. IDS concerns, firewall changes, system hardening reqs, etc)
=== Critical Security Requirements ===
Itemize individual security blockers here.  Reference components in section AppSec or OpSec subsections.
These blockers must be addressed before the product can go live.
== Stage 4: Development ==
== Stage 4: Development ==
=== Repeatable Security Test Cases ===
Document individual repeatable security test cases here.  Include a reference to the source repo, and documentation that governs how to execute test cases.
=== Secure Coding Guidelines ===
Document specific secure coding guidelines to be followed and relate them to specific issues/requirements that are specified; capture bug ids related to those issues.
=== Code Review Milestones ===
Table 1 - itemized list of code review milestones {i.e. breakdown of specific components that will be reviewed}
Table 2 - list of app components/modules that should trigger additional security review (e.g. auth, csrf, file upload handling, etc)
== Stage 5: Release ==
== Stage 5: Release ==
=== Application Security Verification ===
These subsections should contain a list of the steps to be taken, and the status of each activity
==== Code Review ====
==== Automated Security Testing ====
==== Manual Security Testing ====
=== Operational Security Verification ===
==== ArcSight Information ====
==== Network Design Security Review ====
==== Database Security Review ====
==== Platform Security (Hardening & Specific Config Requirements) ====
=== Landing Criteria ===
This should be a table itemizing everything from Stage 3 - Critical Security Requirements, including status.
For status Red=Unimplemented,Yellow=implemented,Green=tested and passed?
== Stage 6: Post Implementation Review ==
== Stage 6: Post Implementation Review ==
== Feature Details ==
=== Production Security Considerations ===
Document additional/ongoing work for this application (e.g. specific things to watch for in ArcSight, gaming behaviour, etc)
=== Post Implementation Tasks ===
Itemize process/kb changes developed from this project (e.g. secure coding guidelines, policy stuff, etc)
 
 
== Infrastructure Team Details ==
{| class="wikitable"
|Priority
|High
|-
|Goal Related
|Yes (2011Q3)
|-
|Primary Team
|Web Application Security
|}
== Team status notes ==
== Team status notes ==
{| class="wikitable"
!
!status
!notes
|-
|Products
|tbd
| -
|-
|Engineering
| tbd
| -
|-
|Engineering
| tbd
| -
|-
|Engineering
| tbd
| -
|-
|Engineering
| tbd
| -
|-
|Engineering
| tbd
| -
|-
|Engineering
| tbd
| -
|-
|Engineering
| tbd
| -
|-
|Engineering
| tbd
| -
|}
Yboily
Confirmed users
180

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/329093"

Navigation menu