Changes

<cite>This is the first Minion release that is a security testing framework built by Mozilla ready for large scale adoption with access management features to bridge the gap between developers constrain which users can access scan results, and security testers. To do so, it enables developers an invitation system to scan their projects using a friendly interfaceactively engage new users.</cite>

A simplified = Minion diagram:Principles =

===Minion should be easy to use.===A user should be able to log into Minion and immediately start to launch scans against sites available to them. Results should be easy to discover and contain detailed explanations. ===The target audience for Minion should be developers===Developers should be able to use Minion the moment they have code written that can be tested. The initial focus will be on supporting web applications and services, but this should extend to other applications with the cohort feature set. The initial guidance surfaced by the default reporting engine should be useful, accurate, and actionable by developers, and meaningful to other audiences (QA, Security, Management). ===Minion is a platform, not a security tool===Minion is an extensible platform that allows automation of security tasks. As such the focus should be on providing strong abstractions and a reliable, extensible platform without binding the platform to a specific suite of tools. All security testing functionality should be external to Minion and implemented via plugins. ===Minion is scalable and extensible===It should be simple to add support for unsupported tools. In addition to the ease with which plugins can be authored, the plugin architecture must isolate plugin related issues from the core platform and allow delegation out to separate infrastructure, and must support scaling from small teams to enterprises that may deliver services to third parties. ===Minion is a secure tool===Ongoing security testing and security assessment should be performed on Minion. Major releases and milestones should be accompanied with a detailed explanation of data collected, and risks or threats posed by the tools and plugins that are shipped by the core development team.  ===Minion is open===Minion is an open source platform, and the core team actively encourages developers, security professionals, and interested parties to provide feedback and feature requests. = Architecture=[[File:Minon_diagramminion-03-diagram-draft.png]] The Minion Front-End is an Angular.js based application that invokes a set of API on the backend. The backend is comprised of a set of services that are collectively referred to as the Task Engine, and a set of plugins. The architecture is designed to be distributed so the plugins can run on any platform that can expose the correct API, ensuring that tools can be incorporated into Minion regardless of operating system dependencies.

=== Initial Release (Q4, 2012) Q3 2013 === * Web InterfaceSite Ownership Verification* Task Engine* 4 Task Engine Plugins** Garmr** Zed Attack Proxy** Skipfish** NMap* Store data in a dbResults Reporting Improvements* Security test on minion - basic security review=== Beta Release (Q1, Q4 2013)=== * "Intensity" Scale** Guidance to plugins the depth of time and effort the plugin should expend** Fast, Normal, * Interpolation Support* Common configuration facility* Site Ownership Authentication* Site and User data privacy* Reporting Engine* 3 Reporting Engine Plugins** Bugzilla Support - "File Bug" featureLanding Pages** ObservatoryDeferred Execution Plugins** DEX-JSON Support* Amazon AMI Maintenance* Virtual ApplianceScan Intensity Level* Full Review (Team Review included)=== Wishlist Q1 2014 === * Pluggable UI componentsCohort PoC*Historical Issue Tracking* Ability for Task Interpolation Engine and Reporting Engine plugins to extend UI elements** "Paths" Common Configuration Schema (Extending DEX- allow a user to define multiple paths to initiating a project*** URL*** Repo*** Vagrant Instructions* Version checking pluginJSON)

* We also use the #minion websectools channel on irc.mozilla.org