Security/Reviews/ReleaseKickOffSys: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
Line 7: Line 7:
</bugzilla>
</bugzilla>
http://rail:isawesome@dev-master01.build.scl1.mozilla.com:5000
http://rail:isawesome@dev-master01.build.scl1.mozilla.com:5000
https://github.com/bhearsum/release-kickoff
http://git.mozilla.org/?p=build/release-kickoff.git;a=summary
}}
}}
{{SecReview
{{SecReview

Latest revision as of 16:25, 3 December 2012

Please use "Edit with form" above to edit this page.

Item Reviewed

Release Kickof System
Target 
   
     Full Query
ID Summary Priority Status
763929 tracking bug for initial implementation + deployment of release kickoff and release runner P3 RESOLVED
810472 security review of release kickoff system -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

http://rail:isawesome@dev-master01.build.scl1.mozilla.com:5000

http://git.mozilla.org/?p=build/release-kickoff.git;a=summary

{{#set:SecReview name=Release Kickof System

|SecReview target=

Full Query
ID Summary Priority Status
763929 tracking bug for initial implementation + deployment of release kickoff and release runner P3 RESOLVED
810472 security review of release kickoff system -- RESOLVED

2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);

http://rail:isawesome@dev-master01.build.scl1.mozilla.com:5000 http://git.mozilla.org/?p=build/release-kickoff.git;a=summary }}

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • This is currently done manually, this project is meant to automate the tasks for release automation
    • builds Firefox, Fennec, Thunderbird
  • webapp behind a vpn
  • submit information to start a new release
  • gathers info, bumps things, does all the build stuff and checks and starts the release
  • should only be acessable by RelEng (for now)

What solutions/approaches were considered other than the proposed solution?

  • cont to be a manual solution

Why was this solution chosen?

`

Any security threats already considered in the design and why?

  • regular web security issues (CSRF considered)
  • authentication - moving to LDAP based authentication using apache (new LDAP group ?)

Threat Brainstorming

  • remote code execution
  • cover off on web security

{{#set: SecReview feature goal=* This is currently done manually, this project is meant to automate the tasks for release automation

    • builds Firefox, Fennec, Thunderbird
  • webapp behind a vpn
  • submit information to start a new release
  • gathers info, bumps things, does all the build stuff and checks and starts the release
  • should only be acessable by RelEng (for now)

|SecReview alt solutions=* cont to be a manual solution |SecReview solution chosen=' |SecReview threats considered=* regular web security issues (CSRF considered)

  • authentication - moving to LDAP based authentication using apache (new LDAP group ?)

|SecReview threat brainstorming=* remote code execution

  • cover off on web security

}}

Action Items

Action Item Status In Progress
Release Target `
Action Items 
   
     Full Query
ID Summary Priority Status
812230 SecReview Item: Review WebAppSec Secure coding checklist -- RESOLVED
812232 SecReview Item: Log Retention review -- RESOLVED
812234 SecReview Item: Test release kickoff system -- RESOLVED

3 Total; 0 Open (0%); 3 Resolved (100%); 0 Verified (0%);

{{#set:|SecReview action item status=In Progress

|Feature version=`

|SecReview action items=

Full Query
ID Summary Priority Status
812230 SecReview Item: Review WebAppSec Secure coding checklist -- RESOLVED
812232 SecReview Item: Log Retention review -- RESOLVED
812234 SecReview Item: Test release kickoff system -- RESOLVED

3 Total; 0 Open (0%); 3 Resolved (100%); 0 Verified (0%);

}}

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Reviews/ReleaseKickOffSys&oldid=491602"