Security/Projects/Minion/Roadmap: Difference between revisions
No edit summary |
|||
| Line 1: | Line 1: | ||
== | =Q3 2013= | ||
==Site Ownership Verification== | |||
Site Ownership Verification is a feature that will enable administrators to require users and sites to demonstrate ownership or control over a domain before allowing a scan to proceed. | |||
Ownership will be demonstrated in one of three ways: | |||
* | * The ability to modify DNS records to present a Minion specified value | ||
* | * The ability to have the application server include content within the root document | ||
* The ability to place a file with specific values in a specified path on the server | |||
* | |||
==Results Reporting Improvements== | |||
Minion does not currently provide all of the detail possible from plugins. In order to support improved reporting, the results structure that Plugins will follow will include additional data. This involves both modifying the plugins that support specific tools to emit this data, and in some cases, the tools as well. | |||
=Q4 2013= | |||
==Reporting Plugins== | |||
This is split into two features, Result Inspection for the backend, and Result Reporting for the Front End. | |||
== | |||
===Result Inspection=== | |||
=== | This feature will allow extensions that will inspect each of the results produced by a Minion plugin, and modification of values. The reference plugin will be one which leverages CVE, CWE, or CVSS data within the results to modify the risk rating assigned to the result. | ||
=== | ===Result Reporting=== | ||
Result Reporting Plugins will allow extension of the front end to support modifying the results pages to incorporate new functionality (such as selecting an issue to "promote" to a formal issue tracker such as a Github Issue or Bugzilla). | |||
==Landing Page== | |||
The landing pages feature will allow extension of the pages that users Home Page within Minion based on group membership and role. For example, an administrator may wish to see administrative capabilities. while a Developer may wish to see an ordered list of issues based on severity. | |||
==Deferred Execution Plugins== | |||
Because Minion is intended to be extensible and usable by anyone, the core team will implement a plugin template that can be used to invoke a 3rd party scanning service or automate control over another platform. The initial target will be OpenVAS to support infrastructure scanning. | |||
==Scan Intensity Level== | |||
This will allow plans to be assembled which will invoke the tools added at a specific level, and preventing tools which don't support lower intensity scans being incorporated into plans. | |||
=Q1 2014= | |||
==Cohort PoC== | |||
Cohort is a static analysis branch of Minion that is under development. Adopting the same features and functionality, it should provide the same facilities that Minion does, but with a focus on static analysis. When it is ready for a release, the features will be shipped either as a unique platform, or as a set of plugins for Minion. | |||
==Historical Issue Tracking== | |||
Historical issue tracking will allow users to observe trends over time for a specific plan, site, or a combination of both to observe how issues have been discovered over time. It will also allow flagging of results with feedback to assist with tool and plugin improvements. | |||
==Common Configuration Schema== | |||
This feature will introduce a schema and a set of rules for expressing configuration options. Included in this schema will be a dictionary of terms and markup that plugin authors can use to modify results of plugin tools to guide future testing and development of Minion. | |||
=Wishlist= | |||
==Site and User Data Privacy== | |||
Minion is intended to provide any team with the ability to offer security as a service within their own organization. In some cases these teams may wish to ensure that their data is not shared with other teams or potentially even the Minion service operations team. Site and User Data privacy should allow user profiles to be marked as private and support an as yet undetermined mechanism to support presentation of meaningful data while ensuring that the data is protected from unrelated parties. | |||
==Minion Event Model Extensions (simple extensibility)== | |||
Extend All the Things! Every significant feature of Minion should be available for extension. This will require careful work to ensure that plugins can't break things. | |||
==Scramble - interactive script for generating plugins== | |||
Scramble is a concept tool that should allow a user to interactively invoke a command line tool with a set of parameters and emit a basic plugin that can capture the results. It should then interactively help the user to generate structured rules for processing output from the application to generate results. | |||
Latest revision as of 07:23, 30 July 2013
Q3 2013
Site Ownership Verification
Site Ownership Verification is a feature that will enable administrators to require users and sites to demonstrate ownership or control over a domain before allowing a scan to proceed.
Ownership will be demonstrated in one of three ways:
- The ability to modify DNS records to present a Minion specified value
- The ability to have the application server include content within the root document
- The ability to place a file with specific values in a specified path on the server
Results Reporting Improvements
Minion does not currently provide all of the detail possible from plugins. In order to support improved reporting, the results structure that Plugins will follow will include additional data. This involves both modifying the plugins that support specific tools to emit this data, and in some cases, the tools as well.
Q4 2013
Reporting Plugins
This is split into two features, Result Inspection for the backend, and Result Reporting for the Front End.
Result Inspection
This feature will allow extensions that will inspect each of the results produced by a Minion plugin, and modification of values. The reference plugin will be one which leverages CVE, CWE, or CVSS data within the results to modify the risk rating assigned to the result.
Result Reporting
Result Reporting Plugins will allow extension of the front end to support modifying the results pages to incorporate new functionality (such as selecting an issue to "promote" to a formal issue tracker such as a Github Issue or Bugzilla).
Landing Page
The landing pages feature will allow extension of the pages that users Home Page within Minion based on group membership and role. For example, an administrator may wish to see administrative capabilities. while a Developer may wish to see an ordered list of issues based on severity.
Deferred Execution Plugins
Because Minion is intended to be extensible and usable by anyone, the core team will implement a plugin template that can be used to invoke a 3rd party scanning service or automate control over another platform. The initial target will be OpenVAS to support infrastructure scanning.
Scan Intensity Level
This will allow plans to be assembled which will invoke the tools added at a specific level, and preventing tools which don't support lower intensity scans being incorporated into plans.
Q1 2014
Cohort PoC
Cohort is a static analysis branch of Minion that is under development. Adopting the same features and functionality, it should provide the same facilities that Minion does, but with a focus on static analysis. When it is ready for a release, the features will be shipped either as a unique platform, or as a set of plugins for Minion.
Historical Issue Tracking
Historical issue tracking will allow users to observe trends over time for a specific plan, site, or a combination of both to observe how issues have been discovered over time. It will also allow flagging of results with feedback to assist with tool and plugin improvements.
Common Configuration Schema
This feature will introduce a schema and a set of rules for expressing configuration options. Included in this schema will be a dictionary of terms and markup that plugin authors can use to modify results of plugin tools to guide future testing and development of Minion.
Wishlist
Site and User Data Privacy
Minion is intended to provide any team with the ability to offer security as a service within their own organization. In some cases these teams may wish to ensure that their data is not shared with other teams or potentially even the Minion service operations team. Site and User Data privacy should allow user profiles to be marked as private and support an as yet undetermined mechanism to support presentation of meaningful data while ensuring that the data is protected from unrelated parties.
Minion Event Model Extensions (simple extensibility)
Extend All the Things! Every significant feature of Minion should be available for extension. This will require careful work to ensure that plugins can't break things.
Scramble - interactive script for generating plugins
Scramble is a concept tool that should allow a user to interactively invoke a command line tool with a set of parameters and emit a basic plugin that can capture the results. It should then interactively help the user to generate structured rules for processing output from the application to generate results.