Infrasec review on SmartSheet / Zimbra integration

RESOLVED WONTFIX

Status

RESOLVED WONTFIX
7 years ago
6 years ago

People

(Reporter: cmore, Assigned: ygjb)

Tracking

Details

(Whiteboard: [canceled secreview])

(Reporter)

Description

7 years ago
Per bug 731761, we are looking to install a Zimbra Zimlet to integrate with SmartSheet, which is a tool to help manage projects. The Zimbra integration would give SmartSheet abilities that we would like to further explore. We would like a review of the integration to better understand the type of data flowing between the two systems. SmartSheet is a SaaS solution and will not be hosted at Mozilla during our evaluation.

This is part of the Project Management initiative and Jim Cook has given us direction to explore the integration and test out the software.
(Reporter)

Updated

7 years ago
Blocks: 731761
(Reporter)

Updated

7 years ago
No longer blocks: 731761
(Assignee)

Comment 1

7 years ago
Hi Chris,

Can you add the info requested at:
https://wiki.mozilla.org/WebAppSec/Security_Review_Request
(Reporter)

Updated

7 years ago
Blocks: 731761
(Assignee)

Updated

7 years ago
Whiteboard: [pending secreview] → [pending secreview][secr:yvan]
QA Contact: mcoates → jstevensen
(Reporter)

Comment 2

7 years ago
Who is/are the point of contact(s) for this review?

Chris More and mrz.

Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):

Mozilla is moving forward with SmartSheet is a standard tool to assist with project management and bring viability to other parts of the organization. SmartSheet integrates with Zimbra to allow you to overlay project meta data with our enterprise calendars.

Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:

http://gallery.zimbra.com/type/zimlet/smartsheet-project-management

http://blog.zimbra.com/blog/archives/2010/08/zimbra-integrates-with-smartsheet.html


Does this request block another bug? If so, please indicate the bug number:

blocks 731761, the install of it on Mozilla's Zimbra instance.

This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

We are going to be moving forward with SmartSheet as our only project management tool on the new Web Productions team and will be using it to manage mozilla.org and the rest of Website projects.

Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)

Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?

No

Are there any portions of the project that interact with 3rd party services?

Yes

Will your application/service collect user data? If so, please describe 

Yes and No. The integration allows you to overlap SmartSheet data with Zimbra data, but it will need to be investigated on what data flows in and out of our network.

If you feel something is missing here or you would like to provide other kind of 
feedback, feel free to do so here (no limits on size):

Nothing else.

Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite. 

As soon as possible so that we can move forward, but I understand that everyone has limited time. Just let me know what is realistic in the short-term.
Component: Security Assurance: Applications → Security Assurance: Review Needed
Assignee: security-assurance → yboily
Status: NEW → ASSIGNED
(Assignee)

Comment 3

7 years ago
Hi Chris,

Can you forward the following questionnaire to the Smartsheets team?

Hi Jennifer, 

Can you forward these questions on to the vendor:

Vendor Assessment Security Questions

Purpose

This document will be completed by any vendors used by Mozilla that will have access to user data.
Questionnaire

The following suggested questions should be adjusted for the specific services offered by the vendor
Overall

Please describe the overall purpose of the system and how Mozilla data will be integrated

Security Management

Have you performed internal security audits of your code or application that, at a minimum, addressed the OWASP Top 10? If so, please provide a description of the review and results.

Has a security audit been performed by an external third party? If so, who performed this audit and are the results available?

How do you protect Mozilla data that will be stored on your servers or within your applications?

How do you prevent other customers of your service from obtaining access to data provided by Mozilla?

What is your disclosure policy to customers in the event of a compromise of your servers, applications or any related infrastructure that interacts with the applications holding Mozilla data?

Have you suffered a security compromise in the past 24 months? If so, please provide details and remediation that occurred as a result.
   
What other large engagements/clients have you supported with this application?

Technical Design

Do you support full SSL communication for all inbound and outbound communications?
    
Describe the technology stack of the application and infrastructure.
    
What options do your support for authentication?
        username/password
        certificate based authentication
        secret token
    
Do you use third party servers or do you host the servers yourself?
    
Do you use any third party services or communicate with any third parties from this application?

Security Verification

The Mozilla Infrastructure Security team will perform a security review of the designed application.

    
Will testing of the running application be possible?
    
Will source code for their application be available?
Keywords: sec-review-needed
Whiteboard: [pending secreview][secr:yvan] → [pending secreview]
(Reporter)

Comment 4

7 years ago
I've sent the questions to SmartSheet and will report back when they are complete. Thanks!
(Reporter)

Updated

6 years ago
Blocks: 753637
(Reporter)

Comment 5

6 years ago
Answers below:

==Security Management==

Have you performed internal security audits of your code or application that,
at a minimum, addressed the OWASP Top 10? If so, please provide a description
of the review and results.

* Yes. Testing was performed with multiple suites, including Nessus, Metasploit and other internally developed regression tools. We know of no existing security vulnerabilities in our product.

Has a security audit been performed by an external third party? If so, who
performed this audit and are the results available?

* Yes. Qualys performed the most recent audit. Those results are not available for disclosure. We are currently in process for selecting a new audit provider and future audit results will be available on an ongoing basis for enterprise partners.

How do you protect Mozilla data that will be stored on your servers or within
your applications?

* All access to data is controlled through a specific data abstraction layer with build access controls. No ad-hoc queries exist in the application.

How do you prevent other customers of your service from obtaining access to
data provided by Mozilla?

* All access to data is controlled through a specific data abstraction layer with build access controls. No ad-hoc queries exist in the application.

What is your disclosure policy to customers in the event of a compromise of
your servers, applications or any related infrastructure that interacts with
the applications holding Mozilla data?

* See security policy. Any data breach is disclosed within 2 business days

Have you suffered a security compromise in the past 24 months? If so, please
provide details and remediation that occurred as a result.

* No. 

What other large engagements/clients have you supported with this application?

==Technical Design==

Do you support full SSL communication for all inbound and outbound
communications?

* All interaction with the application requires SSL. 

Describe the technology stack of the application and infrastructure.

* The application stack is apache on linux fronting tomcat. The Java application uses a custom data access layer that enforced access privileges and provided audit trails against a transactional MySQL datastore.

What options do your support for authentication?
       username/password
       certificate based authentication
       secret token

* Username/Password
* openid
* SAML 2.0

Do you use third party servers or do you host the servers yourself?

* Our systems are currently hosted at Rackspace in Dallas and Chicago 

Do you use any third party services or communicate with any third parties from
this application?

* Amazon AWS (S3) 

==Security Verification==

The Mozilla Infrastructure Security team will perform a security review of the
designed application.

Will testing of the running application be possible?

Yes

Will source code for their application be available?

No
(Reporter)

Comment 6

6 years ago
Do we have an update on this?
(Reporter)

Comment 7

6 years ago
ring ring?
(Assignee)

Comment 8

6 years ago
Can we get an update from SmartSheets on the status of their vendor selection process, or authorization to perform our own testing on the service?
(Reporter)

Comment 9

6 years ago
Bug 753637 (attached to this bug), is the vendor/contract bug. We are in final contract review of SmartSheet and they will be the vendor of choice. We already have almost 50 people at Mozilla using SmartSheet and this bug was specifically on doing a security review of the integration of SmartSheet and Zimbra. Integrating SmartSheet and Zimbra is not required to use SmartSheet, but it is a value-add given that we have already invested in Zimbra.

As for authorizations to do testing, do you want me to check to see if they have a stage/dev instance that we can hit?
(In reply to Chris More [:cmore] from comment #9)

> As for authorizations to do testing, do you want me to check to see if they
> have a stage/dev instance that we can hit?

(:yvan is PTO for the next three weeks, adding :rforbes & :dchan per his request to assit in interim)

I think that would be a good idea given we don't have access to the Qualys info.
(Reporter)

Comment 11

6 years ago
I'm currently asking SmartSheet and will update asap.
:cmore - any news on where we are with this info?
(Reporter)

Comment 13

6 years ago
I think the message got lost on SmartSheet's side and I just pinged them again. Are you going to be testing the application directly or just the zimbra integration pieces?

Did we do all this similar security work when we decided to use Yammer for social collaboration?
(In reply to Chris More [:cmore] from comment #13)
> I think the message got lost on SmartSheet's side and I just pinged them
> again. Are you going to be testing the application directly or just the
> zimbra integration pieces?
> 
I think just the zimbra part, :dchan / :rforbes might have better info.

> Did we do all this similar security work when we decided to use Yammer for
> social collaboration?
Not that I am aware of, they just started using it before we could say anything. It also does not interface with any of our internal systems directly so I think it might have gotten a pass for that. It also came in before the security reorg last year and before we looked as closely at some of these things. When we add 3rd party stuff to our infra we accept some risk with any bugs or other issues they may have and thus now taking a closer look at some things that are integrated with critical systems (like email).
(Reporter)

Comment 15

6 years ago
The issue is that everyone thinks that this security review
No longer blocks: 753637
(Reporter)

Comment 16

6 years ago
* opps. 

Edit: The issue is that I think some people believe that this specific security review should block the contract from being signed, but it should not. I removed removed this from blocking the contract in bugzilla as they are two totally separate issues. We can use an are using SmartSheet now without Zimbra and it is not a requirement. I just wanted to get the Zimbra integration moving since I knew it would take a while.
I/we have virtually nothing to do with the contract part. If legal thinks this should block that is their call. I don't think SecAssurance is prepared to block contract stuff at this time.
(Reporter)

Comment 18

6 years ago
Hey Curtis. I talked to SmartSheet and they don't know how to provide access to a stage environment that would accurately reflect the production environment. They would like to set up a phone call between you and their people. Can I set up something based on your Zimbra availability?
I think dchan and rforbes would be a better choice for this conversation. I am just the guy trying to keep all these reviews moving forward and on track, the other guys are the technical resources and expertise.
(Reporter)

Comment 20

6 years ago
This zimlet code should be downloaded, installed on a dev/stage instance of Zimbra, and code reviewed. http://gallery.zimbra.com/type/zimlet/smartsheet-project-management
(Reporter)

Comment 21

6 years ago
I just talked to SmartSheet and they recommended not proceeding with the Zimbra integration. They generalized the integration to just providing dynamic ICS. Since Zimbra can integrate with ICS, the integration is available today. They are end of EOL'ing the Zimlet because you can do most of it with the features they have now.

Thanks for the effort up until this point.
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WONTFIX
Whiteboard: [pending secreview] → [canceled secreview]
You need to log in before you can comment on or make changes to this bug.