Closed Bug 1236614 Opened 8 years ago Closed 8 years ago

Request to add components to Enterprise Information Security Project

Categories

(bugzilla.mozilla.org :: Administration, task)

Production
task
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: claudijd, Assigned: dkl)

Details

I would like to request the adding of the following components to the Enterprise Information Security project...

- Rapid Risk Analysis (RRA)
- Vulnerability Assessment (VA)
- Threat Modeling (TM)
- Penetration Test (PT)

Please let me know if you have any questions.
(In reply to Jonathan Claudius [:claudijd] (use NEEDINFO) from comment #0)
> I would like to request the adding of the following components to the
> Enterprise Information Security project...
> 
> - Rapid Risk Analysis (RRA)
> - Vulnerability Assessment (VA)
> - Threat Modeling (TM)
> - Penetration Test (PT)
> 
> Please let me know if you have any questions.

We will need at a minimum a short description for each component:

https://wiki.mozilla.org/BMO/Requesting_Changes#Components

dkl
Flags: needinfo?(jclaudius)
Rapid Risk Analysis (RRA) - The Rapid Risk (Impact) Assessment (also called Rapid Risk Analysis) is a 30 minutes or less discussion about the potential risks of a project. The RRA is high level and lightweight. 

Vulnerability Assessment (VA) - A semi-automated point-in-time vulnerability assessment conducted by a vulnerability scanner and other “point and shoot” tools for an explicit set of target(s). May include a validation component, depending on scope.

Threat Modeling (TM) - A review of the set of attack scenarios to consider against an application. They are more specific, thorough and often more time consuming than Rapid Risk Assessments (RRA). When a threat model or analysis is requested on a large service (ie, larger than a quick reply in a bug), an RRA is required to ensure that the security recommendations cover the areas of concerns of the service.

Penetration Test (PT) - An adversarial exercise with the goal of demonstrating risks that could be exploited by a threat actor. Testing scope is heavily influenced by RRA and TM results, which should be completed prior to Penetration Testing.
Flags: needinfo?(jclaudius)
Done. I removed the acronyms from the component name as they seemed redundant and cluttered up the UI some. If this is a problem I can add them back.

dkl
Assignee: nobody → dkl
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.