(Created page with "{{SecReviewInfo |SecReview name=Private Elastic Search }} {{SecReview}} {{SecReviewActionStatus |SecReview action item status=None }}") |
Klahnakoski (talk | contribs) mNo edit summary |
||
| (One intermediate revision by one other user not shown) | |||
| Line 1: | Line 1: | ||
{{SecReviewInfo | {{SecReviewInfo | ||
|SecReview name=Private Elastic Search | |SecReview name=Private Elastic Search | ||
|SecReview target=<bugzilla> | |||
{ | |||
"id":"943909" | |||
} | |||
</bugzilla> | |||
}} | |||
{{SecReview | |||
|SecReview feature goal=Part 3 of the Bugzilla ETL: This meeting is to deal with the specific issues of having bug metatdata (including security bugs) freely available on an ES cluster behind LDAP | |||
This SecReview Bug: | |||
https://bugzilla.mozilla.org/show_bug.cgi?id=943909 | |||
Architecture (same as before): | |||
https://bugzilla.mozilla.org/attachment.cgi?id=8337813 | |||
Summary of what is available on private bugs (pulled from Metrics' cluster): | |||
https://bugzilla.mozilla.org/attachment.cgi?id=8341163 | |||
Previous SecReview (public bugs only) | |||
https://wiki.mozilla.org/Security/Reviews/BZ_Elastic_Search | |||
Overal Project About: | |||
https://wiki.mozilla.org/Auto-tools/Projects/PublicES | |||
Code: | |||
https://github.com/klahnakoski/Bugzilla-ETL | |||
==Goal== | |||
We want to deliver accurate aggregate numbers for overal project summaries. https://metrics.mozilla.com/bugzilla-analysis/Security_Q1_Goal.html | |||
|SecReview solution chosen=* Private bugs ARE included. | |||
* No comments, short_desc (summary) are allowed on any bugs | |||
* There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17 | |||
|SecReview threats considered=* Private bugs ARE included. | |||
* No comments, short_desc (summary) are allowed on any bugs | |||
* There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17 | |||
|SecReview threat brainstorming= Whiteboards could have sensitive info | |||
* Legal bugs? (bug group and product) | |||
* HR? | |||
* Finance and "confidential"? | |||
* Dashboard results made public? | |||
* "visual" cue to not get the public/private mixed up | |||
* proxy in front of this instance | |||
* more exposure of security bugs (but low), medium increase in utility | |||
}} | }} | ||
{{SecReviewActionStatus | {{SecReviewActionStatus | ||
|SecReview action item status= | |SecReview action item status=In Progress | ||
|SecReview action items=* add "this is private" indicator | |||
* remove legal, hr, finance, confidential (and more?) | |||
* verify if legal product dominates all the confidential bugs | |||
}} | }} | ||
Latest revision as of 16:35, 19 December 2013
Item Reviewed
| Private Elastic Search | |
| Target | No results. 0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%); |
{{#set:SecReview name=Private Elastic Search
|SecReview target=
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
}}
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
Part 3 of the Bugzilla ETL: This meeting is to deal with the specific issues of having bug metatdata (including security bugs) freely available on an ES cluster behind LDAP
This SecReview Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=943909
Architecture (same as before): https://bugzilla.mozilla.org/attachment.cgi?id=8337813
Summary of what is available on private bugs (pulled from Metrics' cluster): https://bugzilla.mozilla.org/attachment.cgi?id=8341163
Previous SecReview (public bugs only) https://wiki.mozilla.org/Security/Reviews/BZ_Elastic_Search
Overal Project About: https://wiki.mozilla.org/Auto-tools/Projects/PublicES
Goal
We want to deliver accurate aggregate numbers for overal project summaries. https://metrics.mozilla.com/bugzilla-analysis/Security_Q1_Goal.html
What solutions/approaches were considered other than the proposed solution?
`
Why was this solution chosen?
- Private bugs ARE included.
- No comments, short_desc (summary) are allowed on any bugs
- There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17
Any security threats already considered in the design and why?
- Private bugs ARE included.
- No comments, short_desc (summary) are allowed on any bugs
- There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17
Threat Brainstorming
Whiteboards could have sensitive info
- Legal bugs? (bug group and product)
- HR?
- Finance and "confidential"?
- Dashboard results made public?
- "visual" cue to not get the public/private mixed up
- proxy in front of this instance
- more exposure of security bugs (but low), medium increase in utility
{{#set: SecReview feature goal=Part 3 of the Bugzilla ETL: This meeting is to deal with the specific issues of having bug metatdata (including security bugs) freely available on an ES cluster behind LDAP
This SecReview Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=943909
Architecture (same as before): https://bugzilla.mozilla.org/attachment.cgi?id=8337813
Summary of what is available on private bugs (pulled from Metrics' cluster): https://bugzilla.mozilla.org/attachment.cgi?id=8341163
Previous SecReview (public bugs only) https://wiki.mozilla.org/Security/Reviews/BZ_Elastic_Search
Overal Project About: https://wiki.mozilla.org/Auto-tools/Projects/PublicES
Goal
We want to deliver accurate aggregate numbers for overal project summaries. https://metrics.mozilla.com/bugzilla-analysis/Security_Q1_Goal.html
|SecReview alt solutions=' |SecReview solution chosen=* Private bugs ARE included.
- No comments, short_desc (summary) are allowed on any bugs
- There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17
|SecReview threats considered=* Private bugs ARE included.
- No comments, short_desc (summary) are allowed on any bugs
- There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17
|SecReview threat brainstorming=Whiteboards could have sensitive info
- Legal bugs? (bug group and product)
- HR?
- Finance and "confidential"?
- Dashboard results made public?
- "visual" cue to not get the public/private mixed up
- proxy in front of this instance
- more exposure of security bugs (but low), medium increase in utility
}}
Action Items
| Action Item Status | In Progress |
| Release Target | ` |
| Action Items | |
* add "this is private" indicator
|
|
{{#set:|SecReview action item status=In Progress
|Feature version=` |SecReview action items=* add "this is private" indicator
- remove legal, hr, finance, confidential (and more?)
- verify if legal product dominates all the confidential bugs
}}