Minion User Stories: Difference between revisions

Jump to navigation Jump to search

Minion User Stories (view source)

Revision as of 02:17, 22 April 2013

4,336 bytes removed ,  22 April 2013
Replaced content with "This document has been moved to https://github.com/mozilla/minion/wiki/User-Stories to keep all Minion development related things together on Github."
(Replaced content with "This document has been moved to https://github.com/mozilla/minion/wiki/User-Stories to keep all Minion development related things together on Github.")
 
Line 1: Line 1:
 
This document has been moved to https://github.com/mozilla/minion/wiki/User-Stories to keep all Minion development related things together on Github.
= Security Assurance Team Stories =
 
==== I want to be able to invite Web Developers to use Minion ====
 
I would like to invite people to use Minion by entering their email address. Minion should then send a signup email to the developer.
 
==== I want to be able to add sites to Minion and create specific test plans for those sites ====
 
I want to be able to maintain a list of sites and create specific test plans for those sites. A test plan includes a description of what tools will be run as part of the plan together with an optional configuration for those tools.
 
==== I want to be able to give Web Developers access to test plans for specific sites ====
 
I want to easily give developers access to plans so that they can see the results and run the plan.
 
==== I want to see statistics about the kind of issues that Minion finds across all sites ====
 
I would like to see statistics on for example the most common issues found. Or the longest outstanding issues.
 
==== I want to see statistics about the kind of issues that Minion finds per team ====
 
That way we can identify where more training or better developer tools are required.
 
==== I want to easily add Zest scripts to Minion so that we can easily and check found websec bugs ====
 
I would like to create or record a Zest script as part of the websec bug validation process and then upload that script to Minion and make it part of a test plan. So that reviewers and developers can easily see the status of those websec bugs.
 
==== I want to see how much we have saved in bug bounties by using Minion ====
 
If we can assign a realistic bounty cost to each issue we find with Minion then we can quantify how much we are saving by using it and therefore hopefully justify more time spent improving it.
 
= Web Developer Stories =
 
==== I want to be able to request a test plan for a site that I am working on ====
 
When a specific site is not yet covered by Minion, I would like to be able to request that a test plan be made for it. Ideally simply by filling in an online form.
 
==== I want to login to Minion and see all the current open issues for the sites that I work on or that I am responsible for ====
 
This would show all the results from the most recent scans for all sites that I work on.
 
==== I want to be able to start a scan when I have made changes to a deployed site ====
 
I want to push a button to start a scan.
 
==== I want to easily share a specific result with my colleagues ====
 
I want to copy and paste a direct link to a found issue into an chat, email or a bugzilla bug.
 
==== I want to easily file bugs for issues that Minion finds ====
 
I want to be able easily file bugs on found issues.
 
==== I would like to be able to mute a found issue if it is a false positive ====
 
When a found issue is a false positive, I want to be able to mark it as such so that it does not show up in future scan results.
 
==== I would like to be able to take meaningful action based on the results because they are rarely false positives ====
 
Issues that are found should either have a very low false positive rate so developers don't need an external security specialist to vet the results before developers take action.
 
= Minion Operational Stories =
 
==== I want to be able to easily spin up extra servers to scale Minion horizontally ====
 
Adding extra capacity to Minion should be as easy as spinning up an extra instance. This extra instance should be able to run test workers without any special configuration.
 
==== I want to be able to control the external IP address that Minion uses for scans ====
 
 
==== I want to be able to easily scan a large number of websites ====
 
==== I want to be able to scan in a "passive observation" mode so people can initiate against sites they don't own and get some results ====
 
==== I want to be able to schedule scans to run on a regular basis and report diffs ====
A regular scan would report if site X changed from test Y with result state A to test Y with result state B
 
= Security Tool Maintainer Stories =
 
==== I want to find out which tools give the most false positives and negatives per vulnerability type ====
 
==== I want to find out which tools are effective for which application types (eg Ajax) ====
 
==== I want to find out which sort of vulnerabilities all of the tools miss ====
 
==== I want to find out how long tools take when looking for specific issues ====
 
==== I want to find out when my tool gives false positives and negatives ====
St3fan
Confirmed users
971

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/648213"

Navigation menu