Confirmed users
180
edits
Security/Reviews/Identity: Difference between revisions
Jump to navigation
Jump to search
→New Section
No edit summary |
|||
| Line 1: | Line 1: | ||
== | == Status == | ||
{| class="wikitable" | |||
|- | |||
! colspan="2" | Identity (browserid) | |||
|- | |||
| Tracker Bug | |||
| - | |||
|- | |||
| Stage | |||
| Definition | |||
|- | |||
| Status | |||
| Red (Green, Yellow, Red?) | |||
|- | |||
| Release Target | |||
| Live | |||
|- | |||
| Health | |||
| - | |||
|- | |||
| Status Note | |||
| Demo is live, secreview is underway | |||
|} | |||
== Team == | |||
{| class="wikitable" | |||
|- | |||
| Product manager | |||
| - | |||
|- | |||
|Feature manager | |||
| - | |||
|- | |||
| Engineering lead | |||
| - | |||
|- | |||
| Infrastructure Security lead | |||
| Yvan Boily | |||
|- | |||
| Product Security lead | |||
| Sid Stamm | |||
|- | |||
|Privacy lead | |||
| Sid Stamm | |||
|- | |||
|Localization lead | |||
| - | |||
|- | |||
|Accessibility lead | |||
| - | |||
|- | |||
|QA lead | |||
| - | |||
|- | |||
|UX lead | |||
| - | |||
|- | |||
|Product marketing lead | |||
| - | |||
|- | |||
|Additional members | |||
| - | |||
|} | |||
== Open issues/risks == | |||
== Stage 1: Definition == | |||
=== Introduction === | |||
Include brief summary of feature/project, and link back to core feature/product pages. | |||
=== Use Cases === | |||
=== Data Flows === | |||
=== Architecture Diagram === | |||
== Stage 2: Design == | |||
=== Threat Model === | |||
Upload threat model diagram | |||
Include links to relevant files, etc, here. | |||
=== Business Test Cases === | |||
Document application specific test cases here | |||
== Stage 3: Planning == | |||
=== Application Security Requirements === | |||
Document individual requirements for the application here (e.g. CEF logging, captcha, etc) | |||
=== Operation Security Requirements === | |||
Document network/platform security requirements here (e.g. IDS concerns, firewall changes, system hardening reqs, etc) | |||
=== Critical Security Requirements === | |||
Itemize individual security blockers here. Reference components in section AppSec or OpSec subsections. | |||
These blockers must be addressed before the product can go live. | |||
== Stage 4: Development == | |||
=== Repeatable Security Test Cases === | |||
Document individual repeatable security test cases here. Include a reference to the source repo, and documentation that governs how to execute test cases. | |||
=== Secure Coding Guidelines === | |||
Document specific secure coding guidelines to be followed and relate them to specific issues/requirements that are specified; capture bug ids related to those issues. | |||
=== Code Review Milestones === | |||
Table 1 - itemized list of code review milestones {i.e. breakdown of specific components that will be reviewed} | |||
Table 2 - list of app components/modules that should trigger additional security review (e.g. auth, csrf, file upload handling, etc) | |||
== Stage 5: Release == | |||
=== Application Security Verification === | |||
These subsections should contain a list of the steps to be taken, and the status of each activity | |||
==== Code Review ==== | |||
==== Automated Security Testing ==== | |||
==== Manual Security Testing ==== | |||
=== Operational Security Verification === | |||
==== ArcSight Information ==== | |||
==== Network Design Security Review ==== | |||
==== Database Security Review ==== | |||
==== Platform Security (Hardening & Specific Config Requirements) ==== | |||
=== Landing Criteria === | |||
This should be a table itemizing everything from Stage 3 - Critical Security Requirements, including status. | |||
For status Red=Unimplemented,Yellow=implemented,Green=tested and passed? | |||
== Stage 6: Post Implementation Review == | |||
=== Production Security Considerations === | |||
Document additional/ongoing work for this application (e.g. specific things to watch for in ArcSight, gaming behaviour, etc) | |||
=== Post Implementation Tasks === | |||
Itemize process/kb changes developed from this project (e.g. secure coding guidelines, policy stuff, etc) | |||
== Infrastructure Team Details == | |||
{| class="wikitable" | |||
|Priority | |||
|High | |||
|- | |||
|Goal Related | |||
|Yes (2011Q3) | |||
|- | |||
|Primary Team | |||
|Web Application Security | |||
|} | |||
== Team status notes == | |||
{| class="wikitable" | |||
! | |||
!status | |||
!notes | |||
|- | |||
|Products | |||
|tbd | |||
| - | |||
|- | |||
|Engineering | |||
| tbd | |||
| - | |||
|- | |||
|Engineering | |||
| tbd | |||
| - | |||
|- | |||
|Engineering | |||
| tbd | |||
| - | |||
|- | |||
|Engineering | |||
| tbd | |||
| - | |||
|- | |||
|Engineering | |||
| tbd | |||
| - | |||
|- | |||
|Engineering | |||
| tbd | |||
| - | |||
|- | |||
|Engineering | |||
| tbd | |||
| - | |||
|- | |||
|Engineering | |||
| tbd | |||
| - | |||
|} | |||