On Fri, Mar 16, 2012 at 10:39 PM, ptheriault <[email protected]> wrote: > To aid the discussion of controls vs threats, I have drafted an initial list > of threats with associated controls here: > https://wiki.mozilla.org/B2G_App_Security_Model/Threat_Model > > I have tried to include all threats/controls raised in the thread so far, but > I have no doubt missed or misinterpreted some, so please feel free to > contribute to this page. At the moment it is very high level, in line with > the debate, but I expect to evolve to being more specific and quantified once > we get closer to a design for the permissions model. > > My own two cents on the "Gaia" apps - I am not sure if Gaia apps is the > right term for the security discussion. My understanding is that most of the > apps that were included in the Gaia project are not critical system > applications (games, camera, image gallery, clock etc). But it did include > some that are definitely critical (dialer, sms, browser,settings app) and > some which are in between the two. > > But the name is besides the point. Personally I don't think one set of > security requirements is going to fit all of the Web Apps that will be > installed on all B2G instances. I'm not sure if using the term Gaia/non-gaia > apps is the best distinction, but I do think we need a different level of > requirements for angry birds, than we have for critical system Web Apps. And > I think this control needs to be beyond HSTS and trust in app stores to > control their developers/infrastructure, due to the threats outlined in the > linked page above.
super, i believe this will help enormously. 2 things: a) just considering the apps from the perspective *solely* of apps is not going to be enough. it's a bit like saying that you must secure the win32 GUI code without considering the OS itself. and this is an OPERATING SYSTEM project NOT A GUI project. b) i still have absolutely no idea what this "CSP" is. or an HSTS. it's really really critical that a full glossary of terms is included: you *can't* assume that everyone knows what these are. lastly a point of order: please please please could people follow basic netiquette guidelines for mailing lists, it's getting kinda tedious to trawl through 50 to 100 paragraphs just to try to find the one paragraph that was being referred to at the very very top of the message. this one seems to be very good, as well as being a no 1 hit for google "mailing list netiquette", apart from it describing things from the perspective of the lowendmac.com google group.... http://lowendmac.com/lists/netiquette.shtml _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
