On 23/03/12 17:45 PM, Lucas Adamski wrote:
Thank you all for participating in the B2G security discussion so far. While the
"uber-thread" has resulted in some very useful and creative discussion, it is
clearly difficult to analyze such a complex model thoroughly without putting some more
structure in place. As such, we should break up this conversation to focus on each layer
of the security model at at time, coming to a specific proposal before moving onto the
next layer to ensure we establish a solid foundation for discussion.
As such after talking to Jonas and Andreas, I propose we talk through the
following layers of the security model in order:
1) Get agreement on different "types" of applications
Yes please. In the security world we might call this "the business" or
"the context." Without some solid ground here, we're liable to spin off
into space.
Then, out of the business, we extract requirements. The security design
must meet these requirements.
(roughly corresponding to groupings of privileges organized by risk)
(point of order - privileges assumes a design, and risk assumes a risk
analysis.)
2) Talk through risks of each WebAPI and determine which of the above type(s)
it belongs to (and whether access to it would be implicit or explicit)
3) Determine security implications and mitigations for each application type
(CSP, HSTS++, CA pinning, signing, whatever)
4) Discuss the app lifecycle:
a) publish
b) install
c) update
d) revoke
5) OS security risks and mitigations
6) Review security model and compare against threat model
...against requirements.
The goal is to do a full pass through this conversation in 2 weeks. Obviously
if new data emerges we might revisit previous decisions, but it'll be more
productive if we can stake down some positions throughout the process and build
upon them.
It generally takes me 1 - 3 months to lay out all the requirements. And
1-3 weeks to do the solution, which is the easy part :) Oh, and the
coding, same.
I'm sending out the first phase (application types) after this email.
thanks
iang
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
