Confirmed users
529
edits
Security/FirefoxOperations: Difference between revisions
Jump to navigation
Jump to search
Security/FirefoxOperations (view source)
Revision as of 14:03, 21 September 2016
, 21 September 2016no edit summary
No edit summary |
No edit summary |
||
| Line 28: | Line 28: | ||
|- | |- | ||
| style="background-color: #d04437;"| | | style="background-color: #d04437;"| | ||
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.1+TDS" <span style="color:white;">''' | [https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.1+TDS" <span style="color:white;">'''1 HIGH'''<br />'''4 MEDIUM'''<br />'''6 LOW'''<br /></span>] | ||
| style="background-color: #d04437;"| | | style="background-color: #d04437;"| | ||
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.2+fraud+detection" <span style="color:white;">''' | [https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.2+fraud+detection" <span style="color:white;">'''2 HIGH'''<br />'''2 MEDIUM'''<br />'''2 LOW'''<br /></span>] | ||
| style="background-color: # | | style="background-color: #ffd351;"| | ||
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.3+identity+management" <span style="color: | [https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.3+identity+management" <span style="color:black;">'''3 MEDIUM'''<br /></span>] | ||
| style="background-color: #d04437;"| | | style="background-color: #d04437;"| | ||
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.4+infra+hardening" <span style="color:white;">'''4 MEDIUM'''<br />''' | [https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.4+infra+hardening" <span style="color:white;">'''1 HIGH'''<br />'''4 MEDIUM'''<br />'''3 LOW'''<br /></span>] | ||
| style="background-color: #4a6785;"| | | style="background-color: #4a6785;"| | ||
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.2+monitor+external+threats" <span style="color:white;">'''2 LOW'''<br /></span>] | [https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.2+monitor+external+threats" <span style="color:white;">'''2 LOW'''<br /></span>] | ||
| Line 55: | Line 55: | ||
External audits | External audits | ||
|- | |- | ||
| style="background-color: #4a6785;"| | |||
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.1+risk+assessment" <span style="color:white;">'''1 MEDIUM'''<br />'''3 LOW'''<br /></span>] | |||
| style="background-color: #ffd351;"| | | style="background-color: #ffd351;"| | ||
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2. | [https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.2+appsec+baseline" <span style="color:black;">'''2 MEDIUM'''<br />'''3 LOW'''<br /></span>] | ||
| style="background-color: # | | style="background-color: #4a6785;"| | ||
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A" | [https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.1+signature" <span style="color:white;">'''1 MEDIUM'''<br />'''2 LOW'''<br /></span>] | ||
| style="background-color: #4a6785;"| | | style="background-color: #4a6785;"| | ||
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.3+security+communication" <span style="color:white;">'''1 MEDIUM'''<br />'''4 LOW'''<br /></span>] | |||
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.3+security+communication" <span style="color:white;" | |||
| style="background-color: #4a6785;"| | | style="background-color: #4a6785;"| | ||
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.4+bug+bounty" <span style="color:white;" | [https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.4+bug+bounty" <span style="color:white;">'''1 LOW'''<br /></span>] | ||
| style="background-color: #4a6785;"| | | style="background-color: #4a6785;"| | ||
[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.3+external+audits" <span style="color:white;">'''1 | [https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.3+external+audits" <span style="color:white;">'''1 MEDIUM'''<br />'''1 LOW'''<br /></span>] | ||
|} | |} | ||
| Line 123: | Line 123: | ||
== Security Checklist == | == Security Checklist == | ||
See https://github.com/mozilla-services/cloudsec/blob/master/security_checklist.md | |||
The checklist below is in MARKDOWN format to be copy/pasted into Github issues. | |||
<code> | |||
Infrastructure rules | |||
-------------------- | |||
* Use [https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility | * [ ] Use [Modern TLS](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) (**INFRA-TLS**) | ||
* Set HSTS to | * [ ] Set HSTS to 31536000 (1 year) (**INFRA-HSTS**) | ||
* Set HPKP to | * [ ] Set HPKP to 5184000 (60 days) (**INFRA-HPKP**) | ||
* | * `Public-Key-Pins: max-age=300; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__";` | ||
* | * Start with max-age set to 5 minutes and increase gradually | ||
* | * Pin to the EV and DV roots of Digicert | ||
* | * Set a reporting endpoint `/__hpkpreport__` to catch violations in nginx ([example conf](https://github.com/mozilla-services/puppet-config/blob/HEAD/amo/modules/amo_proxy/templates/nginx.hpkpreport.conf.erb)) | ||
* If service has an admin panels, it must: | |||
* [ ] only be available behind Mozilla VPN (which provides MFA) (**INFRA-ADMINVPN**) | |||
* [ ] require LDAP authentication (**INFRA-ADMINLDAP**) | |||
* [ ] enforce a two-man rule on sensitive changes (**INFRA-2MANRULE**) | |||
Coding rules | |||
------------ | |||
The following rules apply to all web applications: api and websites. | The following rules apply to all web applications: api and websites. | ||
* Detailed logging in mozlog format ( | * [ ] Sign all commits (**APP-COMMITSIG**) | ||
* Developers should [configure git to sign all commits](http://micropipes.com/blog//2016/08/31/signing-your-commits-on-github-with-a-gpg-key/) and upload their PGP fingerprint to https://login.mozilla.com | |||
* [ ] Detailed logging in mozlog format (**APP-MOZLOG**) | |||
* Business logic must be logged with app specific codes (errno) | |||
* Access control failures must be logged at WARN level | |||
* [ ] All SQL queries must be parameterized, not concatenated (**APP-SQL**) | |||
* [ ] User data must be escaped for the right context prior to reflecting it (**APP-ESCAPE**) | |||
* [ ] Apply sensible limits to user inputs, see [input validation](https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation) (**APP-INPUTVAL**) | |||
* [ ] Enforce Access Controls server-side (**APP-ACL**) | |||
* [ ] Set the Secure flag on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration and HTTPOnly (**APP-SECCOOKIE**) | |||
* Keep 3rd-party libraries up to date (**APP-DEPS**) | |||
* [ ] Use [NSP](https://nodesecurity.io/) or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications | |||
* [ ] Use pip --outdated or [requires.io](https://requires.io/) for Python applications | |||
* [ ] If handling cryptographic keys, must have a mechanism to handle monthly key rotations (**APP-KEYROT**) | |||
* [ ] All keys must be rotated quarterly. | |||
* Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable during. | |||
### Additional websites requirements | |||
The following coding rules only apply to websites, not web apis. | |||
The following coding rules only apply to websites. | |||
* Never store passwords, use Firefox Accounts ( | * [ ] Never store passwords, use Firefox Accounts (**APP-IDP**) | ||
* Forbid Mixed content, always use HTTPS ( | * [ ] Forbid Mixed content, always use HTTPS (**APP-MIXCONTENT**) | ||
* Must have a CSP with ( | * [ ] Must have a CSP with (**APP-CSP**) | ||
* | * [ ] a report-uri pointing to the service /__cspreport__ | ||
* | * [ ] frame-options set to deny | ||
* | * [ ] no use of unsafe-inline or unsafe-eval | ||
* Must have CSRF tokens and manually excluded specific forms ( | * [ ] Must have CSRF tokens and manually excluded specific forms (**APP-CSRF**) | ||
* | * [ ] Should consider having checksums for 3rd-party content via SRI (**APP-SRI**). | ||
* Consider Security headers as appropriate ( | * Trusted 3rd parties, like Google Analytics, don't need SRI. Use your best judgment to decide if a 3rd party script is trustworthy (and assume it is not). | ||
* | * Consider Security headers as appropriate (**APP-HEADERS**) | ||
* | * [ ] X-Content-Type-Options | ||
* | * [ ] X-Frame-Options | ||
* [ ] X-XSS-Protection | |||
Data rules | |||
---------- | |||
* | * When storing sensitive user data (like browsing history) on Mozilla servers: | ||
* | * [ ] Anonymize it (similar to Tiles) (**DATA-ANON**) | ||
* | * [ ] Encrypt it client-side (similar to Sync) (**DATA-CRYPT**) | ||
* | * [ ] If user data must be stored non-anonymized and in clear text, you must talk to the security and legal teams about it. | ||
* | * If the service pushes data to Firefox, like when distributing blacklists or pushing updates, cryptographic signatures must be used. (**DATA-SIGN**) | ||
* | * [ ] Addons must use standard AMO signing (**APP-SIGNING**) | ||
* [ ] Code & Conf must use Content-Signature via | |||
[Autograph](https://github.com/mozilla-services/autograph) (**DATA-SIGNING**) | |||
</code> | |||
== Sites and Services == | == Sites and Services == | ||