Yesterday I talked about what we are doing in bugzilla so today I want to cover the new feature pages and how we are using the new status section to track security interaction there. If you have not seen the new feature pages that are based on media wiki, and they are super _cool_! You can check out dria’s (Deb Richardson) great work in any of our feature pages or at the demo page. This post is meant to help everyone understand what these new things mean and to engage us for the best interaction.
So just like the instance with bugs we have to get a handle on what is going on in what we are doing, not doing or not doing well…we need data. I am going to avoid the historical path of how we got here for now, another post for another day maybe, as this would detract from what I want to focus on here right now. In the pre-new way we would edit a feature page add a name (usually mine) as a security resource and then add a section for security notes. This section would either have the notes from our meetings or a link to the review page. I would also track all this on a hand edited wiki page that first lived in my intranet profile and later moved to the public wiki and was simply known as the “radar”. The big problem is we had no way of knowing what features were coming, wich we had worked on or their status without this very manual page, and I spent a good deal of my time maintaining it as things changed as well as keeping the wiki notes and schedules running.
Where We Are
Now we have this great new wiki media form and the radar has searches (yeah! automation), so a few immediate advantages.
- We can now search for items that we need to decide on.
- We can track a workflow for what needs to happen.
- We have some record of what we did and when
- We can have a common framework and keywords that have meaning to more than our team.
With the new feature pages there is a great new section ‘Team Status Notes’ that we are going to use to accomplish just that.
The security line is actually made up of 3 elements, 2 you can see right off, the status line and notes; and a hidden element that is only visible when using the form edit ‘security health’ that gives us a color coding for visual indication. Lets start with status.
|Status||What it means|
|` OR [blank]||Untriaged, the team has not looked at it and made an action decision to either do something or do nothing.|
|sec-review-needed||Item has been triaged and a security review is needed, this could be a design review with the whole team or just one of us is going to look into it. In his case an alias is in the notes section.|
|sec-review-sched||A review has been scheduled. In this case the date of the scheduled review shows in the notes and a meeting is on the Security Review Calendar.|
|sec-review-active||The review is ongoing, the team met with the feature owner and decided more work was needed (ie. fuzzing, threat model, implementation review, pen testing, etc.) The notes will reflect this and who is taking responsibility for it.|
|sec-review-complete||We’re done. The notes section will have a link to the relevant security notes for all that was done. (ex. https://wiki.mozilla.org/Security/Reviews/Firefox6/ReviewNotes/webconsole)|
|pass||During triage the team decided to not interact with this feature and no security work was done or is scheduled to be done.|
The other area that helps convey meaning beyond the notes is the health indicator that has the following set.
|Health Indicator||Color||What it means|
|OK||Things are on track, nothing is blocking no concerns at the time.|
|Blocked||Security is concerned enough about something to block the feature from landing or moving into the next train phase until something is fixed or resolved.|
|At Risk||Things are not progressing such that the feature will not likely make its designated ship window. This could be for a variety of reasons.|
|Assigned||Security work is continuing and has been assigned to someone to follow-up and report back on.|
This should give anyone who wants to know what is going on with security on any given feature a decent clue. Questions, concerns or smart remarks can be made to me on irc or email.