msbuild
msbuild copied to clipboard
MSBuild Threat Modeling
Background
As part of current security efforts let's create initial Threat Model of the whole product. As a side effect we'll need to produce a High Level Design documents together with the usage scenarios - which will be beneficial for our own reference and for the future onboardings. The Design doc with usages should be part of the public repo wiki documents. The threat model document should be part of the private space.
Sequence of work
- [x] Running meeting(s) to put together draft of High Leve Design
- https://app.diagrams.net/#HJanKrivanek%2Fmsbuild%2Fdoc%252Fdesign%2Fdocumentation%2Fwiki%2FDesign.drawio#%7B%22pageId%22%3A%22KYUkMzLAdZubMLOFAHTG%22%7D
- https://microsoft.sharepoint.com/:f:/t/ManagedLanguagesIDE/EnCKmZdBO8VJlOqP-HlkMUoBIXUv_CrJv1tJxY4s1CoqoA?e=RnAmKY
- [ ] #10215
- [ ] Creating a document (in private space) with design overview and threats assesment, plus mitigations proposals
- [ ] Schedule and run the security review with security team - https://threatmodelingportal.security.azure/create-schedule
Related
- https://github.com/dotnet/msbuild/issues/10064
- https://threatmodelingportal.security.azure/reviewdetail/64c9652a-3816-4035-a656-8046c9e5198f/4cac191f-8b27-4d55-abee-2eafb6470803