canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Security/Reviews/esPrivate: Difference between revisions
no edit summary
(Created page with "{{SecReviewInfo |SecReview name=Private Elastic Search }} {{SecReview}} {{SecReviewActionStatus |SecReview action item status=None }}") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{SecReviewInfo | {{SecReviewInfo | ||
|SecReview name=Private Elastic Search | |SecReview name=Private Elastic Search | ||
|SecReview target=<bugzilla> | |||
{ | |||
"id":"943909" | |||
} | |||
</bugzilla> | |||
}} | |||
{{SecReview | |||
|SecReview feature goal=Part 3 of the Bugzilla ETL: This meeting is to deal with the specific issues of having bug metatdata (including security bugs) freely available on an ES cluster behind LDAP | |||
This SecReview Bug: | |||
https://bugzilla.mozilla.org/show_bug.cgi?id=943909 | |||
Architecture (same as before): | |||
https://bugzilla.mozilla.org/attachment.cgi?id=8337813 | |||
Summary of what is available on private bugs (pulled from Metrics' cluster): | |||
https://bugzilla.mozilla.org/attachment.cgi?id=8341163 | |||
Previous SecReview (public bugs only) | |||
https://wiki.mozilla.org/Security/Reviews/BZ_Elastic_Search | |||
Overal Project About: | |||
https://wiki.mozilla.org/Auto-tools/Projects/PublicES | |||
Code: | |||
https://github.com/klahnakoski/Bugzilla-ETL | |||
==Goal== | |||
We want to deliver accurate aggregate numbers for overal project summaries. https://metrics.mozilla.com/bugzilla-analysis/Security_Q1_Goal.html | |||
|SecReview solution chosen=* Private bugs ARE included. | |||
* No comments, short_desc (summary) are allowed on any bugs | |||
* There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17 | |||
|SecReview threats considered=* Private bugs ARE included. | |||
* No comments, short_desc (summary) are allowed on any bugs | |||
* There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17 | |||
|SecReview threat brainstorming= Whiteboards could have sensitive info | |||
* Legal bugs? (bug group and product) | |||
* HR? | |||
* Finance and "confidential"? | |||
* Dashboard results made public? | |||
* "visual" cue to not get the public/private mixed up | |||
* proxy in front of this instance | |||
* more exposure of security bugs (but low), medium increase in utility | |||
}} | }} | ||
{{SecReviewActionStatus | {{SecReviewActionStatus | ||
|SecReview action item status= | |SecReview action item status=In Progress | ||
|SecReview action items=* add "this is private" indicator | |||
* remove legal, hr, finance, confidential (and more?) | |||
* verify if legal product dominates all the confidential bugs | |||
}} | }} | ||