Closed Bug 724861 Opened 12 years ago Closed 11 years ago

Security review for SpeedTests

Categories

(mozilla.org :: Security Assurance: Review Request, task, P5)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mcote, Assigned: freddy)

Details

(Whiteboard: [completed secreview][score:4::Low]) 

A quick intro to what this app does.

SpeedTests (slightly misnamed) is a framework for cross-browser comparisons.  It consists of one or more clients that run tests in a variety of browsers, with a web UI for viewing the results.

Info on the wiki is at https://wiki.mozilla.org/Auto-tools/Projects/SpeedTests

The only public-facing part of this is the results server, that is, the part that accepts results from clients and serves them to users, via a fairly simple web UI.  The tests themselves are served internally, since we may not be able to redistribute them (most of them are modified versions of the Internet Explorer Speed Demos)

Where is the source code located?

hg.mozilla.org/automation/speedtests/  There is a README in there about setting up the framework.

Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.

There is not, at the moment, since the original brasstacks went down.  We have a client machine in the MV office along with a test server; however the results are not going anywhere at the moment.

Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.

Testing / General, CC mcote@mozilla.com

Will this application be collecting any personally identifiable information from users (email address, physical address, phone number, etc)?

No.

Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.

It reads from and writes to a MySQL database.

Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.

No.

What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)

Nothing in particular; the app mostly just reads from and writes to a MySQL db.

Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed?

No admin page.

This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

I would love to get this done soon, since it has been down for a month, since brasstacks went down.  I would like to redeploy it on the new brasstacks as soon as I can.
Whiteboard: [pending secreview] → [secr:yvan]
QA Contact: mcoates → jstevensen
Component: Security Assurance: Applications → Security Assurance: Review Needed
Assignee: security-assurance → yboily
Status: NEW → ASSIGNED
Keywords: sec-review-needed
Whiteboard: [secr:yvan] → [pending secreview]
Risk/Priority Ranking Exercise https://wiki.mozilla.org/Security/RiskRatings

Priority: 1 (P5) - Age

Operational: 1 - Minor
User: 0 - N/A
Privacy: 0 - N/A
Engineering: 1 - Minor
Reputational: 1 - Minor

Priority Score: 4
Severity: normal → minor
Priority: -- → P5
Whiteboard: [pending secreview] → [pending secreview][score:4::Low]
Am I correctly assuming that this is a review for the code in server/ only and that *all* clients will only *ever* come from mozilla offices?
Assignee: yboily → fbraun
Correct.  This service has never attracted a lot of attention, so at the moment we have only one client, located in Mountain View.
The SQL queries are all safe. Nice work on that.
All done. See depending bugs for more information.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: [pending secreview][score:4::Low] → [completed secreview][score:4::Low]
You need to log in before you can comment on or make changes to this bug.