Security/Reviews/esPrivate
Item Reviewed
| Private Elastic Search | |
| Target | No results. 0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%); |
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
" contains strip markers and therefore it cannot be parsed sufficiently.Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
Part 3 of the Bugzilla ETL: This meeting is to deal with the specific issues of having bug metatdata (including security bugs) freely available on an ES cluster behind LDAP
This SecReview Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=943909
Architecture (same as before): https://bugzilla.mozilla.org/attachment.cgi?id=8337813
Summary of what is available on private bugs (pulled from Metrics' cluster): https://bugzilla.mozilla.org/attachment.cgi?id=8341163
Previous SecReview (public bugs only) https://wiki.mozilla.org/Security/Reviews/BZ_Elastic_Search
Overal Project About: https://wiki.mozilla.org/Auto-tools/Projects/PublicES
Code: https://github.com/klahnakoski/Bugzilla-ETL
Goal
We want to deliver accurate aggregate numbers for overal project summaries. https://metrics.mozilla.com/bugzilla-analysis/Security_Q1_Goal.html
What solutions/approaches were considered other than the proposed solution?
`
Why was this solution chosen?
- Private bugs ARE included.
- No comments, short_desc (summary) are allowed on any bugs
- There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17
Any security threats already considered in the design and why?
- Private bugs ARE included.
- No comments, short_desc (summary) are allowed on any bugs
- There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17
Threat Brainstorming
Whiteboards could have sensitive info
- Legal bugs? (bug group and product)
- HR?
- Finance and "confidential"?
- Dashboard results made public?
- "visual" cue to not get the public/private mixed up
- proxy in front of this instance
- more exposure of security bugs (but low), medium increase in utility
- Property "SecReview feature goal" (as page type) with input value "Part 3 of the Bugzilla ETL: This meeting is to deal with the specific issues of having bug metatdata (including security bugs) freely available on an ES cluster behind LDAP
This SecReview Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=943909
Architecture (same as before): https://bugzilla.mozilla.org/attachment.cgi?id=8337813
Summary of what is available on private bugs (pulled from Metrics' cluster): https://bugzilla.mozilla.org/attachment.cgi?id=8341163
Previous SecReview (public bugs only) https://wiki.mozilla.org/Security/Reviews/BZ_Elastic_Search
Overal Project About: https://wiki.mozilla.org/Auto-tools/Projects/PublicES
Code: https://github.com/klahnakoski/Bugzilla-ETL
Goal
We want to deliver accurate aggregate numbers for overal project summaries. https://metrics.mozilla.com/bugzilla-analysis/Security_Q1_Goal.html" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process. - Property "SecReview solution chosen" (as page type) with input value "* Private bugs ARE included.
- No comments, short_desc (summary) are allowed on any bugs
- There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview threats considered" (as page type) with input value "* Private bugs ARE included.
- No comments, short_desc (summary) are allowed on any bugs
- There has been a similar discussion already, but in the context of making this public: concern that cc list can be mined: https://bugzilla.mozilla.org/show_bug.cgi?id=823303#c17" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview threat brainstorming" (as page type) with input value "Whiteboards could have sensitive info
- Legal bugs? (bug group and product)
- HR?
- Finance and "confidential"?
- Dashboard results made public?
- "visual" cue to not get the public/private mixed up
- proxy in front of this instance
- more exposure of security bugs (but low), medium increase in utility" contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
Action Items
| Action Item Status | In Progress |
| Release Target | ` |
| Action Items | |
* add "this is private" indicator
|
|
