Security/FirefoxOperations

From MozillaWiki
Jump to: navigation, search

Firefox Operations Security

Firefox Operations Security is responsible for application & operations security for internal & external services and websites in the Firefox organization that host sensitive data or provide a mission critical service.

Secops1024.png

Contact

Email us at secops@mozilla.com.

To report a security issue on a given site, use the bug bounty form as explained here.

To tell us about a new service create a New Service issue.

Product Lines

  • Firefox Accounts
  • Addons.mozilla.org
  • Browser services (sync, push, normandy, remote settings, balrog, product delivery, etc.)
  • Data services (telemetry, pioneer, taar, prio, etc.)
  • Web presence of Premium services (FxSend, FxMonitor, FPN website, etc.)
  • Release Engineering (taskcluster, shipit, *.build.m.o, build infra, etc.)
  • Developer Services (phabricator, lando, bugzilla, sentry, crash reports, etc.)

Scope

Application security

Responsibility for internal & external services and websites in the Firefox organization that host sensitive data or provide a mission critical service.

  • Risk assessments
  • Security Reviews
  • Manual and automated testing
  • Review risks w/ product owners
  • Security incident management

The application security group also owns cryptographic services (autograph, tls canary, tls observatory, etc) and appsec tooling (zap, dependency observatory, etc.).

Operations security

Responsibility for infrastructure and hosting of Firefox services.

  • Covers the security of AWS and GCP infrastructure, and datacenters for the build infra
  • Security operations consulting for the Firefox organization at large

The operations security group also owns the fraud pipeline (foxsec-pipeline) and secops tooling (frost, sops, etc.).

Risk Management

Responsibility for maintaining visibility into the security posture of the Firefox infrastructure.

  • Rapid Risk Assessments framework & associated tooling
  • Security posture reports & leadership reporting

Security Checklist

This has moved to https://github.com/mozilla-services/websec-check

The Firefox Operations Security logo is derived from this work by Synth Agency, and published under Creative Commons Attribution-NonCommercial 4.0 International Public License.