Security/Projects/Minion/Roadmap

From MozillaWiki
Jump to: navigation, search

Q3 2013

Site Ownership Verification

Site Ownership Verification is a feature that will enable administrators to require users and sites to demonstrate ownership or control over a domain before allowing a scan to proceed.

Ownership will be demonstrated in one of three ways:

  • The ability to modify DNS records to present a Minion specified value
  • The ability to have the application server include content within the root document
  • The ability to place a file with specific values in a specified path on the server

Results Reporting Improvements

Minion does not currently provide all of the detail possible from plugins. In order to support improved reporting, the results structure that Plugins will follow will include additional data. This involves both modifying the plugins that support specific tools to emit this data, and in some cases, the tools as well.

Q4 2013

Reporting Plugins

This is split into two features, Result Inspection for the backend, and Result Reporting for the Front End.

Result Inspection

This feature will allow extensions that will inspect each of the results produced by a Minion plugin, and modification of values. The reference plugin will be one which leverages CVE, CWE, or CVSS data within the results to modify the risk rating assigned to the result.

Result Reporting

Result Reporting Plugins will allow extension of the front end to support modifying the results pages to incorporate new functionality (such as selecting an issue to "promote" to a formal issue tracker such as a Github Issue or Bugzilla).

Landing Page

The landing pages feature will allow extension of the pages that users Home Page within Minion based on group membership and role. For example, an administrator may wish to see administrative capabilities. while a Developer may wish to see an ordered list of issues based on severity.

Deferred Execution Plugins

Because Minion is intended to be extensible and usable by anyone, the core team will implement a plugin template that can be used to invoke a 3rd party scanning service or automate control over another platform. The initial target will be OpenVAS to support infrastructure scanning.

Scan Intensity Level

This will allow plans to be assembled which will invoke the tools added at a specific level, and preventing tools which don't support lower intensity scans being incorporated into plans.

Q1 2014

Cohort PoC

Cohort is a static analysis branch of Minion that is under development. Adopting the same features and functionality, it should provide the same facilities that Minion does, but with a focus on static analysis. When it is ready for a release, the features will be shipped either as a unique platform, or as a set of plugins for Minion.

Historical Issue Tracking

Historical issue tracking will allow users to observe trends over time for a specific plan, site, or a combination of both to observe how issues have been discovered over time. It will also allow flagging of results with feedback to assist with tool and plugin improvements.

Common Configuration Schema

This feature will introduce a schema and a set of rules for expressing configuration options. Included in this schema will be a dictionary of terms and markup that plugin authors can use to modify results of plugin tools to guide future testing and development of Minion.

Wishlist

Site and User Data Privacy

Minion is intended to provide any team with the ability to offer security as a service within their own organization. In some cases these teams may wish to ensure that their data is not shared with other teams or potentially even the Minion service operations team. Site and User Data privacy should allow user profiles to be marked as private and support an as yet undetermined mechanism to support presentation of meaningful data while ensuring that the data is protected from unrelated parties.

Minion Event Model Extensions (simple extensibility)

Extend All the Things! Every significant feature of Minion should be available for extension. This will require careful work to ensure that plugins can't break things.

Scramble - interactive script for generating plugins

Scramble is a concept tool that should allow a user to interactively invoke a command line tool with a set of parameters and emit a basic plugin that can capture the results. It should then interactively help the user to generate structured rules for processing output from the application to generate results.