The table below summarizes the open issues assigned to the CloudSec team, sorted by area of focus.
=== Operational Security ===
{| class="wikitable"
|- style="vertical-align:bottomtop;"! style="height:100px; width:300px; text-align:center;" |
! style="height:100px; width:200px; text-align:center;" |
Continuous Continous Testing (TDS)
! style="height:100px; width:200px; text-align:center;" |
Fraud Detection
! style="height:100px; width:200px; text-align:center;" |
Infra Hardening
! style="height:100px; width:200px; text-align:center;" |
Threat monitoring
|-
! Operational security| style="background-color: redyellow;"|[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.1+TDS" '''3 2 HIGH'''<br />'''2 MEDIUM'''<br />'''3 2 LOW'''<br />]| style="background-color: redyellow;"|[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.2+fraud+detection" '''3 HIGH'''<br />'''1 MEDIUM'''<br />]
| style="background-color: green;"|
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.3+identity+management" '''1 MEDIUM'''<br />'''1 LOW'''<br />]
| style="background-color: yellow;"|
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.4+infra+hardening" '''4 3 MEDIUM'''<br />'''3 LOW'''<br />] | style="background-color: green;"|[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.2+monitor+external+threats" '''2 LOW'''<br />]
|}
=== Application Security ===
{| class="wikitable"
|- style="vertical-align:bottomtop;"! style="height:100px; width:300px; text-align:center;" |
! style="height:100px; width:200px; text-align:center;" |
Risk & Security reviews
! style="height:100px; width:200px; text-align:center;" |
Test & Implement Baseline Security
! style="height:100px; width:200px; text-align:center;" |
Data & Code Signing
! style="height:100px; width:200px; text-align:center;" |
Training & Communication
! style="height:100px; width:200px; text-align:center;" |
Bug Bounty
|-
! Application Security
| style="background-color: yellow;"|
2 HIGH<br />1 LOW<br />
| style="background-color: yellow;"|
1 HIGH<br />1 MEDIUM<br />
| style="background-color: green;"|
1 HIGH<br />2 LOW<br />
| no pending task
|}
{| class="wikitable"
|- style="vertical-align:top;"
! style="height:100px; width:300px; text-align:center;" |
! style="height:100px; width:200px; text-align:center;" |
Data & Code Signing
! style="height:100px; width:200px; text-align:center;" |
Threat monitoring
! style="height:100px; width:200px; text-align:center;" |
External audits
|-
! Core security services
| style="background-color: yellow;"|
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.1+risk+assessment" '''2 HIGH'''<br />'''1 LOW'''<br />]| style="background-color: yellow;"|[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.2+appsec+baseline" '''1 HIGH'''<br />'''1 MEDIUM'''<br />]| style="background-color: yellow;"|[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.1+signature" '''1 HIGH'''<br />'''1 MEDIUM'''<br />'''1 LOW'''<br />]
| style="background-color: green;"|
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.3+security+communication" '''1 HIGH'''<br />'''2 LOW'''<br />]| no pending task
| style="background-color: green;"|
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.3+external+audits" '''2 1 LOW'''<br />]
|}
* Set HSTS to 2592000 (30 days) ('''INFRA-HSTS''')
* Set HPKP to 2592000 (30 days) ('''INFRA-HPKP''')
* Admin panels must :** only be available behind Mozilla VPN and (which provides MFA) ('''INFRA-ADMINVPN''')** require LDAP auth authentication ('''INFRA-ADMINLDAP''')** enforce a two-man rule on sensitive changes ('''INFRA-ADMIN2MANRULE''')
=== Coding rules ===