Security/Reviews/ReleaseKickOffSys
From MozillaWiki
Please use "Edit with form" above to edit this page.
Item Reviewed
Release Kickof System | |||||||||||||
Target |
2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%); http://rail:isawesome@dev-master01.build.scl1.mozilla.com:5000 http://git.mozilla.org/?p=build/release-kickoff.git;a=summary |
The given value "
ID | Summary | Priority | Status |
---|---|---|---|
763929 | tracking bug for initial implementation + deployment of release kickoff and release runner | P3 | RESOLVED |
810472 | security review of release kickoff system | -- | RESOLVED |
2 Total; 0 Open (0%); 2 Resolved (100%); 0 Verified (0%);
http://rail:isawesome@dev-master01.build.scl1.mozilla.com:5000
http://git.mozilla.org/?p=build/release-kickoff.git;a=summary" contains strip markers and therefore it cannot be parsed sufficiently.Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- This is currently done manually, this project is meant to automate the tasks for release automation
- builds Firefox, Fennec, Thunderbird
- webapp behind a vpn
- submit information to start a new release
- gathers info, bumps things, does all the build stuff and checks and starts the release
- should only be acessable by RelEng (for now)
What solutions/approaches were considered other than the proposed solution?
- cont to be a manual solution
Why was this solution chosen?
`
Any security threats already considered in the design and why?
- regular web security issues (CSRF considered)
- authentication - moving to LDAP based authentication using apache (new LDAP group ?)
Threat Brainstorming
- remote code execution
- cover off on web security
- Property "SecReview feature goal" (as page type) with input value "* This is currently done manually, this project is meant to automate the tasks for release automation
- builds Firefox, Fennec, Thunderbird
- webapp behind a vpn
- submit information to start a new release
- gathers info, bumps things, does all the build stuff and checks and starts the release
- should only be acessable by RelEng (for now)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview threats considered" (as page type) with input value "* regular web security issues (CSRF considered)
- authentication - moving to LDAP based authentication using apache (new LDAP group ?)" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview threat brainstorming" (as page type) with input value "* remote code execution
- cover off on web security" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
Action Items
Action Item Status | In Progress | ||||||||||||||||
Release Target | ` | ||||||||||||||||
Action Items | |||||||||||||||||
3 Total; 0 Open (0%); 3 Resolved (100%); 0 Verified (0%); |
The given value "
ID | Summary | Priority | Status |
---|---|---|---|
812230 | SecReview Item: Review WebAppSec Secure coding checklist | -- | RESOLVED |
812232 | SecReview Item: Log Retention review | -- | RESOLVED |
812234 | SecReview Item: Test release kickoff system | -- | RESOLVED |
3 Total; 0 Open (0%); 3 Resolved (100%); 0 Verified (0%);
" contains strip markers and therefore it cannot be parsed sufficiently.