Thunderbird/Security: Difference between revisions
m (→Security Component: prose improvement) |
(→Security Engineering: Provide details on security engineering.) |
||
| Line 17: | Line 17: | ||
== Security Engineering == | == Security Engineering == | ||
[https://en.wikipedia.org/wiki/Security_engineering Security engineering] is a sub-discipline in the engineering space which focuses on designing systems which are robust to malicious actors or unintended effects. The most notable academic book describing this field was created by Ross Anderson and is available here: [https://www.cl.cam.ac.uk/~rja14/book.html Security Engineering Book] | |||
There are security-specific activities that should occur during all parts of a product's development life-cycle including: | |||
# Design - Designs should be analyzed from an "attacker's mindset" and threat analysis and risk assessment should be performed to determine the risk of such a design. The result may inform additional countermeasures to prevent issues down the road. | |||
# Development - Security needs to be considered during development. This means educating developers, requiring code review, and integrating security into the entire development process via automated tools. | |||
# Testing - Penetration testing are arguably the most popular security activity. In these activities internal or external parties try to find vulnerabilities in the source and will report them responsibly. | |||
# Release - Monitoring should be done to find new vulnerabilities in the field. Vulnerability disclosure programs should exist to provide external researchers a way to report issues. Most importantly, security issues found must be analyzed and fixed in a reasonable amount of time. | |||
== Security Software Engineering == | == Security Software Engineering == | ||
Revision as of 18:30, 7 July 2018
(Note: This page is an active work in progress)
Introduction
Thunderbird cares very strongly about the security and privacy of its users. To this end, there are various security-related activities maintained by the community that this page attempts to document.
There are two main aspects to security-related work:
- Security Engineering
- Designing Thunderbird to prevent vulnerabilities.
- Analyzing risk (and then mitigating it) by performing threat analysis and risk assessment.
- Finding vulnerabilities in Thunderbird.
- Vulnerability management and incident response activities.
- Security Software Engineering
- Maintaining/building security-related code (the Security component)
- Including strong security standards and technologies when appropriate.
- Building/researching new security-related features to improve the security of our users.
Security Engineering
Security engineering is a sub-discipline in the engineering space which focuses on designing systems which are robust to malicious actors or unintended effects. The most notable academic book describing this field was created by Ross Anderson and is available here: Security Engineering Book
There are security-specific activities that should occur during all parts of a product's development life-cycle including:
- Design - Designs should be analyzed from an "attacker's mindset" and threat analysis and risk assessment should be performed to determine the risk of such a design. The result may inform additional countermeasures to prevent issues down the road.
- Development - Security needs to be considered during development. This means educating developers, requiring code review, and integrating security into the entire development process via automated tools.
- Testing - Penetration testing are arguably the most popular security activity. In these activities internal or external parties try to find vulnerabilities in the source and will report them responsibly.
- Release - Monitoring should be done to find new vulnerabilities in the field. Vulnerability disclosure programs should exist to provide external researchers a way to report issues. Most importantly, security issues found must be analyzed and fixed in a reasonable amount of time.
Security Software Engineering
Security software engineering refers to software engineering related to security, rather than the security engineering discipline itself. This section describes various activities in that area:
Security Component
Issues and suggestions relating to the security-feature aspects of Thunderbird can be found on Bugzilla here: Bugzilla Security Component Page
The trend of open bugs in the security component can be found here: Bugzilla Charts Link
