Chapter - Web App Security Review

[jdotpz]

• [x] Meet with Joes, Yvan, and Julien at 5pm on Thursday
• [ ] Determine feasiblity of Atul & Simons sweet game-as-review idea
• [x] Collect list of best practices for the bottom
• [x] Develop a checklist for the process
• [ ] Discuss with the team on Friday after meeting with Atul, Joes, Julien, and Yvan
• [ ] Get a list of interesting/valuable reading on the subject

[jdotpz]

https://wiki.mozilla.org/WebAppSec/Web_Security_Verification I'll go over this with Atul, Joes, Yvan, and Julien tonight, and then the larger team tomorrow at 11am.

[jdotpz]

@simonwex @Pomax @jbuck @k88hudson @ScottDowne @gesa @alicoding @gvn @toolness

Hi! Instead of meeting to discuss this prior to documenting things in this issue, we're going to go through that process here. As you are all much smarter than I am, I am betting as we go through this list, you will have some opinions about the best way we can work together on security reviews for new applications as well as new code pushes. Here are a few questions I think we should work through, as well as a more general discussion about the process.

So, here are some things to consider as you read the security review checklist.

1) Which of these items are relevant for programming in node.js, versus what is irrelevant? 2) What other security vulnerabilities do you think we should be looking for? 3) What triggers the security review? If we push copy, for example, compared to pushing a new module, compared to a brand new prototype application on Heroku, what qualifies as needing a full on security review? 4) Do we only test mofo staging / production mature applications, or do we go to town on more prototype kinds of apps?
5) Are there items in this checklist that should always be a blocker, never be a blocker? 6) Do you have any automated testing tools you like or have heard about that you think we should try? 7) Do we only test in staging, or do we also put things through the ringer once we land in production? 8) What kind of testing do we do on items like BSD petition and payment forms, or do we put this testing on BSD ;) 9) Which items do you understand how to test for, and what items do we need to seek assistance to learn how to effectively test? 10) Which questions did I forget to ask, and which questions do you now have?

GO!

[Pomax]

time passed this PR by =(