Obtaining security reviews for new features or significant changes to existing code (was: Re: Intent to Implement System Add-on: SHIELD/Normandy)

[Selena Deckelmann]

Hi!

[sorry for the dupe to a few of you.. I just subscribed to fx-dev]

Currently, we provide a limited number of reviews on request, with Paul
Theriault and someone from EIS/IT (Jeff Bryner's team). These would be
threat model + architecture reviews. Recent requests have come from CD and
Flyweb. I'm aware of some other, more informal reviews that different
engineers give when they can, and we're interested in making those easier
to request and give.

As a "program", security review doesn't formally exist today. We have ideas
about what more we might try to do in 2017, but no solid plans yet.

Also, we don't have enough people to do many security *code reviews*. We're
trying to avoid a "security cop" mentality where we are the source of tons
of stop energy for innovation and creativity -- for the sake of the
reviewers and people requesting review.

Get in touch with Paul and myself if you have requests or ideas about what
you would like to see for security review.

I'll spend some quality time with the wiki on Monday to update out-dated
information. Thanks for bringing this to my attention. I'll see about
making or repurposing a bugzilla component for requests as well and report
back to his thread.

On Sat, Oct 1, 2016 at 11:33 AM Gijs Kruitbosch <gijskruitbosch at gmail.com>
wrote:

> -relman,gofaster,mgrimes
> +Selena
>
> On 01/10/2016 00:48, J. Ryan Stinnett wrote:
>
>
> On Fri, Sep 30, 2016 at 8:41 AM, Gijs Kruitbosch <gijskruitbosch at gmail.com
> > wrote:
>
> In this specific case, it sounds like you're already talking to the
> security team. They would be the best people to judge if you (still) need a
> formal security review to happen on the code you're landing. If you haven't
> talked to them about this, now would be a good time. For other projects, a
> quick web search gets me:
> https://wiki.mozilla.org/Security#Request_a_Security_or_Privacy_Review
> which seems fairly straightforward to me.
>
>
> I suppose this is the wrong venue for this rabbit hole,
>
> I think fx-dev is a fine venue as far as desktop product security is
> concerned. I've taken us out of the earlier thread, though.
>
> but I've had a hard time contacting the security team in the past, so I am
> not sure what the right venue is. The wiki page above links to a security
> review request form that says "This process not currently in use,
> maintaining for historical purposes".
>
> Is there a description of the correct process for requesting security
> review somewhere? I've received a lot of mixed signals about this process
> in the past, so having the right answer would be great!
>
>
> I hadn't noticed that. And you're right, it would be good if the wikipage
> was up-to-date (or redirected to somewhere up-to-date) and process here was
> clearer (more than "ask around to find the right person").
>
> Selena, AFAICT from phonebook you should be a good person to ask (please
> forward as necessary if I missed something) - can you help elucidate what
> would be the most current process here as far as gecko/desktop/mobile stuff
> (rather than web/ops) is concerned?
>
> Thanks,
> Gijs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/firefox-dev/attachments/20161001/347165df/attachment.html>