704235 - Start a security review process on appsync

Status: RESOLVED INVALID

(Web Apps Graveyard :: AppsInTheCloud, defect, P5)

Comment 1

[Ian Bicking (:ianbicking)]

I don't believe the code is ready entirely for "review", but the process is (e.g., the Sync document) and we should establish the criteria for further steps.

Comment 2

[Ian Bicking (:ianbicking)]

We're in contact with Raymond Forbes about this.

Comment 3

[Andreas Gal :gal]

Whats the status of this?

Comment 4

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

What kind of security review are you all looking for?

Comment 5

[Andreas Gal :gal]

Not my bug, I am just trying to understand the status. ianb can probably explain.

Comment 6

[Ian Bicking (:ianbicking)]

I'm afraid we haven't really progressed past the "hi, let's talk security review" phase.

We have I guess three major pieces that should be reviewed, though on exactly what schedule I'm not sure.  There is the specification itself, and then the client and server (and I guess also the Soup client, which is a different implementation).  We are also trying to use Sauropod, but I would consider that a separate review process.

There's also a general question about what aspects of applications can be sync'd and to what effect, especially if installed application carry around permissions.   But so far we don't have any concrete examples of that.  But it's something that could emerge as a security question if we extend applications, even if sync doesn't change in the process.

Comment 7

[Ian Bicking (:ianbicking)]

We should put this review on hold, pending design changes.

Comment 8

[Jason Smith [:jsmith]]

A Pivotal Tracker story has been created for this Bug: https://www.pivotaltracker.com/story/show/24808869

Comment 9

[Jason Smith [:jsmith]]

The old app sync codebase is no longer going to be supported. Apps in the cloud will be under a different codebase. None of these bugs are valid anymore.