On Friday, 14 July 2017 04:44:39 UTC+2, Richard Wang wrote: > Hi Peter, > > Thanks for your guesses. > Buy no those issues in our system. > > > Best Regards, > > Richard
That's what you say. But you've lied before. :-( So sorry, but that won't go anywhere near regaining trust. You'll have to be quite a bit more transparant before anything you say will be believed. I really don't see why you post this summary at a time when you have not yet told us anything about the items that went before it. Or should have gone before? The summary itself doesn't say much. But some things can be read between the lines. There was a penetration test and they found problems which you then fixed quickly. Sounds like you did not do anything about the reason why those problems were in your code. So there will probably be more. That in itself is not surprising, but a team that quickly fixes those problem is. They should instead have done an an analyses why those problems were there in the first place and fixed there software development practices/process, then let that take care of fixing the problems. There was a code review. But we don't hear anything about what the outcome was. There may have been findings but more import is what the overall quality of the code is. And still more important is what the quality of your development process is. Are there unit tests, integration tests, what is the coverage, how complete is the documentation, specs, structure of the code, how good the layering, how complex is it, how maintainable, how correct, are you using version control, release management, code quality scanners? All that is not covered by a penetration test and only some of it by a code review. So item five is really not all that important. It is just an extra insurance that all is well after all the other work has been done. I still think that it would make most sense to start by showing us this item one. That would be a real step towards regaining trust. CU Hans _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
