Closed Bug 718891 Opened 14 years ago Closed 13 years ago

Betafarm needs a security review

Categories

(mozilla.org :: Security Assurance: Review Request, task)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: davida, Assigned: mgoodwin)

References

Details

(Whiteboard: [secr:mgoodwin])

Tofumatt is doing a code review, and pmclanahan will be doing ongoing code changes, but we should do a code review of the website currently known as betafarm. Code lives at https://github.com/mozilla/betafarm Yvan mentioned doing a review end of january, which I think should be fine from our schedule's POV.
Blocks: 718896
Please see https://wiki.mozilla.org/WebAppSec/Security_Review_Request and answer the 10 questions.
Whiteboard: [pending secreview]
1 - A quick intro to what this app does. This is a webapp where mozillians can create simple project description pages explaining what innovative projects they're working on, and pointers to further information (github repos, wikis, etc.). Projects are tagged, and people can affiliate themselves with projects. 2 - Where is the source code located? https://github.com/mozilla/betafarm 3 - Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on. http://betafarm.mozillalabs.com/en-US/ (I'm not 100% sure which machine in the labs cluster this is though. 4 - Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs. Websites:Betafarm -- no specific cc needed 5 - Will this application be collecting any personally identifiable information from users (email address, physical address, phone number, etc)? Browserid logins (hence emails), and profile data including: - display name - website url (e.g. blog) - a bio - whatever links the user wants (e.g. twitter, blog, etc.) 6 - Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS. none. 7 - Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role. The app supports logged in users and project admins. I'll get tofumatt to create accounts and amend this bug when that's done. 8 - What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.) 9 - Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed? I'll let webdev comment. 10 - This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? We have release of this site as a cross-functional Q1 goal, so review and time to fix issues that come up before that would be appreciated.
Blocks: 728330
No longer blocks: 718896
Whiteboard: [pending secreview] → [secr:mgoodwin]
assigning to mgoodwin for review
QA Contact: mcoates → jstevensen
ping? we're about to hit some deadline challenges.
Assignee: security-assurance → mgoodwin
mgoodwin, any idea of what your timeline looks like for completing this? Or do we need to reassign this to another resource?
Depends on: 741335
Depends on: 741534
Component: Security Assurance: Applications → Security Assurance: Review Needed
Resolving this as all blockers appear to be fixed.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Mark, can you verify this one. Thanks!
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.