WebAppSec/Wordpress Security Review Process

From MozillaWiki
Jump to: navigation, search

Note: This document is maintained on the internal mana website at the following link. This is a copy of that document.

Purpose

Document the security and installation process for wordpress enhancements including themes and plugins

Wordpress Theme or Plugin

  • A mozillian finds/creates a new theme or plugin
  • The Mozillian files a security review request for review of the theme/plugin
  • Infrasec reviews the theme for security issues
  • IT installs the theme *after* Infrasec okays it
  • IT activate the theme on blog.mozilla.com
  • The Mozillian can then pick out the new theme if you're a blog admin


Note: Based on the quantity of security reviews and urgency of many projects please provide several weeks for this entire process.

Why Require a Security Review?

A surprising large number of cross site scripting vulnerabilities have been found within wordpress themes and plugins. This kind of vulnerability could allow an attacker to compromise users visiting the wordpress site, steal admin wordpress credentials or even rewrite the entire page.

The Review Process

Please view our Security Review Process Wiki page here: https://wiki.mozilla.org/Security/ReviewProcess#WordPress_Plugin_Review_Process