WebAppSec/Security Review Request: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
Line 33: Line 33:
== Whiteboard Tags for Security Reviews ==
== Whiteboard Tags for Security Reviews ==
These are the work flow tags for the web security review process.<br>
These are the work flow tags for the web security review process.<br>
Status Tags
Status Tags
* '''[pending secreview]''' - pending to be reviewed
* '''[pending secreview]''' - pending to be reviewed

Revision as of 19:43, 8 December 2010

Infrasec Security Review Request

  1. File a new bug within Bugzilla for the request.
  2. Block an existing deployment request bug with the infrasec review bug.
  3. Assign the bug to Product: Mozilla.org and Component: Infrastructure Security: Web Security. Here is a direct bugzilla link
  4. Make sure to copy clyon <at> mozilla.com and mcoates <at> mozilla.com
  5. Within the request, please answer the questions below


Questions to Address within Request Body

Please copy these questions into the bug and answer inline.

  1. A quick intro to what this app does.
  2. Where is the source code located?
  3. Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.
  4. Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.
  5. Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.
  6. Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.
  7. What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)
  8. Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed?
  9. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

Additional Comments

  • Standard lead time on security review requests is minimum 4-6 weeks
  • Once the review is started it takes 1-2 weeks to complete
  • Critical reviews can be expedited. Please contact us directly as soon as possible
  • Using standard frameworks such as django will decrease the security review time
  • Also reference the secure coding guidelines to self evaluate and eliminate security issues prior to the security review


Whiteboard Tags for Security Reviews

These are the work flow tags for the web security review process.

Status Tags

  • [pending secreview] - pending to be reviewed
  • [in-progress secreview] - it is currently being worked on
  • [completed secreview] - review completed


Waiting on tags

  • [waiting on code complete] - waiting for the code to be completed
  • [waiting on infra setup] - waiting on infrastructure to be setup