Summary - Improving security of Contributed modules

moshe weitzman's picture

Notes from our session

  • Documentation needed
    • checklist for security reviews
    • one page docs on XSS, SQL injection, db_rewrite_sql, ...
  • Add link and form for submitting security review on a project.
    • Only show positive reviews. Bad reviews send email to security team and owners
  • Possible show security advisories for some period of time on a project
  • Add an security acknowledgement checkbox to the CVS request form. I agree and understand
  • Ad security paragraph to the welcome msg refers for contrib access
  • Outreach to contrib authors. Newsletter, screencasts, ...

Comments

Show security advisories on projects

Robert Castelo's picture

Possible show security advisories for some period of time on a project

Would the advisories need to be added to a project manually? If so adding them should be restricted to member(s) of the security team.

Any thoughts of how long to leave advisories up for? Expiring after a year sounds good to me.