Security/Reviews/esPrivate: Difference between revisions
No edit summary |
Klahnakoski (talk | contribs) mNo edit summary |
||
| Line 9: | Line 9: | ||
{{SecReview | {{SecReview | ||
|SecReview feature goal=Part 3 of the Bugzilla ETL: This meeting is to deal with the specific issues of having bug metatdata (including security bugs) freely available on an ES cluster behind LDAP | |SecReview feature goal=Part 3 of the Bugzilla ETL: This meeting is to deal with the specific issues of having bug metatdata (including security bugs) freely available on an ES cluster behind LDAP | ||
This SecReview Bug: | This SecReview Bug: | ||
https://bugzilla.mozilla.org/show_bug.cgi?id=943909 | https://bugzilla.mozilla.org/show_bug.cgi?id=943909 | ||
Architecture (same as before): | Architecture (same as before): | ||
https://bugzilla.mozilla.org/attachment.cgi?id=8337813 | https://bugzilla.mozilla.org/attachment.cgi?id=8337813 | ||
Summary of what is available on private bugs (pulled from Metrics' cluster): | Summary of what is available on private bugs (pulled from Metrics' cluster): | ||
https://bugzilla.mozilla.org/attachment.cgi?id=8341163 | https://bugzilla.mozilla.org/attachment.cgi?id=8341163 | ||
Previous SecReview (public bugs only) | Previous SecReview (public bugs only) | ||
https://wiki.mozilla.org/Security/Reviews/BZ_Elastic_Search | https://wiki.mozilla.org/Security/Reviews/BZ_Elastic_Search | ||
Overal Project About: | Overal Project About: | ||
https://wiki.mozilla.org/Auto-tools/Projects/PublicES | https://wiki.mozilla.org/Auto-tools/Projects/PublicES | ||
Code: | Code: | ||
https://github.com/klahnakoski/Bugzilla-ETL | https://github.com/klahnakoski/Bugzilla-ETL | ||
Latest revision as of 16:35, 19 December 2013
Item Reviewed
| Private Elastic Search | |
| Target | No results. 0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%); |
{{#set:SecReview name=Private Elastic Search
|SecReview target=
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
}}
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
Part 3 of the Bugzilla ETL: This meeting is to deal with the specific issues of having bug metatdata (including security bugs) freely available on an ES cluster behind LDAP
This SecReview Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=943909
Architecture (same as before): https://bugzilla.mozilla.org/attachment.cgi?id=8337813
Summary of what is available on private bugs (pulled from Metrics' cluster): https://bugzilla.mozilla.org/attachment.cgi?id=8341163
Previous SecReview (public bugs only) https://wiki.mozilla.org/Security/Reviews/BZ_Elastic_Search
Overal Project About: https://wiki.mozilla.org/Auto-tools/Projects/PublicES
Code: https://github.com/klahnakoski/Bugzilla-ETL
Goal
We want to deliver accurate aggregate numbers for overal project summaries. https://metrics.mozilla.com/bugzilla-analysis/Security_Q1_Goal.html
What solutions/approaches were considered other than the proposed solution?
`
Why was this solution chosen?
- Private bugs ARE included.
- No comments, short_desc (summary) are allowed on any bugs
- There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17
Any security threats already considered in the design and why?
- Private bugs ARE included.
- No comments, short_desc (summary) are allowed on any bugs
- There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17
Threat Brainstorming
Whiteboards could have sensitive info
- Legal bugs? (bug group and product)
- HR?
- Finance and "confidential"?
- Dashboard results made public?
- "visual" cue to not get the public/private mixed up
- proxy in front of this instance
- more exposure of security bugs (but low), medium increase in utility
{{#set: SecReview feature goal=Part 3 of the Bugzilla ETL: This meeting is to deal with the specific issues of having bug metatdata (including security bugs) freely available on an ES cluster behind LDAP
This SecReview Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=943909
Architecture (same as before): https://bugzilla.mozilla.org/attachment.cgi?id=8337813
Summary of what is available on private bugs (pulled from Metrics' cluster): https://bugzilla.mozilla.org/attachment.cgi?id=8341163
Previous SecReview (public bugs only) https://wiki.mozilla.org/Security/Reviews/BZ_Elastic_Search
Overal Project About: https://wiki.mozilla.org/Auto-tools/Projects/PublicES
Code: https://github.com/klahnakoski/Bugzilla-ETL
Goal
We want to deliver accurate aggregate numbers for overal project summaries. https://metrics.mozilla.com/bugzilla-analysis/Security_Q1_Goal.html
|SecReview alt solutions=' |SecReview solution chosen=* Private bugs ARE included.
- No comments, short_desc (summary) are allowed on any bugs
- There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17
|SecReview threats considered=* Private bugs ARE included.
- No comments, short_desc (summary) are allowed on any bugs
- There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17
|SecReview threat brainstorming=Whiteboards could have sensitive info
- Legal bugs? (bug group and product)
- HR?
- Finance and "confidential"?
- Dashboard results made public?
- "visual" cue to not get the public/private mixed up
- proxy in front of this instance
- more exposure of security bugs (but low), medium increase in utility
}}
Action Items
| Action Item Status | In Progress |
| Release Target | ` |
| Action Items | |
* add "this is private" indicator
|
|
{{#set:|SecReview action item status=In Progress
|Feature version=` |SecReview action items=* add "this is private" indicator
- remove legal, hr, finance, confidential (and more?)
- verify if legal product dominates all the confidential bugs
}}