Confirm
529
edits
Changes
Rename to FoxSec
= Cloud Firefox Services & Operations Security =
The CloudSec team is tasked with securing core Firefox services operated by the Cloud Services organization at Mozilla.
[[File:OpSecFoxsec1024.png|400px300px]]
== Contact ==
Email us at cloudsecfoxsec@mozilla.com with the PGP key [http://gpg.mozilla.org/pks/lookup?op=get&search=0xF7A9B793541A953D Mozilla Cloud Services Security (CloudSec) 6F73539153B31C193A2154EAF7A9B793541A953D]
To report a security issue on a given site, use the bug bounty form [https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/ as explained here].
== Backlog ==
The table below summarizes the open issues assigned to the CloudSec FoxSec team, sorted by area of focus.
=== Operational Security ===
|-
| style="background-color: #d04437;"|
[https://github.com/mozilla-services/cloudsecfoxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.1+TDS" <span style="color:white;">'''1 HIGH'''<br />'''4 MEDIUM'''<br />'''6 LOW'''<br /></span>]
| style="background-color: #d04437;"|
[https://github.com/mozilla-services/cloudsecfoxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.2+fraud+detection" <span style="color:white;">'''2 HIGH'''<br />'''4 MEDIUM'''<br />'''3 LOW'''<br /></span>]
| style="background-color: #4a6785;"|
[https://github.com/mozilla-services/cloudsecfoxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.3+identity+management" <span style="color:white;">'''2 MEDIUM'''<br /></span>]
| style="background-color: #d04437;"|
[https://github.com/mozilla-services/cloudsecfoxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.4+infra+hardening" <span style="color:white;">'''6 MEDIUM'''<br />'''6 LOW'''<br /></span>]
| style="background-color: #4a6785;"|
[https://github.com/mozilla-services/cloudsecfoxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.2+monitor+external+threats" <span style="color:white;">'''1 LOW'''<br /></span>]
|}
|-
| style="background-color: #d04437;"|
[https://github.com/mozilla-services/cloudsecfoxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.1+risk+assessment" <span style="color:white;">'''1 HIGH'''<br />'''4 MEDIUM'''<br />'''4 LOW'''<br /></span>]
| style="background-color: #d04437;"|
[https://github.com/mozilla-services/cloudsecfoxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.2+appsec+baseline" <span style="color:white;">'''4 HIGH'''<br />'''5 MEDIUM'''<br />'''3 LOW'''<br /></span>]
| style="background-color: #ffd351;"|
[https://github.com/mozilla-services/cloudsecfoxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.1+signature" <span style="color:black;">'''2 MEDIUM'''<br />'''4 LOW'''<br /></span>]
| style="background-color: #ffd351;"|
[https://github.com/mozilla-services/cloudsecfoxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.3+security+communication" <span style="color:black;">'''1 HIGH'''<br />'''1 MEDIUM'''<br />'''4 LOW'''<br /></span>]
| style="background-color: #4a6785;"|
[https://github.com/mozilla-services/cloudsecfoxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.4+bug+bounty" <span style="color:white;">'''1 LOW'''<br /></span>]
| style="background-color: #4a6785;"|
[https://github.com/mozilla-services/cloudsecfoxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.3+external+audits" <span style="color:white;">'''1 MEDIUM'''<br />'''1 LOW'''<br /></span>]
|}
* Admin panels should rely on Mozilla's Identity Management platform provided by IT
* Third-party services (datadog, pagerduty, aws) should have automated user management (userplex).
==== 1.4 Harden the infrastructure ====
==== 2.1 Help new projects identify threats and controls (RRA, threat models,...) ====
Risk assessment and threat modeling help people think through failure scenarios they wouldn’t evaluate otherwise. RRAs often leads to architectural changes that are best identified early. Each new project must undergo a 30/60min RRA with one of the member of cloudsec foxsec to assess the security posture of the project.
==== 2.2 Implement baseline services security standards ====
Content Security Policy (CSP), HSTS, HPKP, data signature and encryption, input validation, XSS and SQLi protection are part of techniques developers should care about when building new services. Cloudsec foxsec defines services security standards that devs can implement and cloudsec foxsec tests in TDS.
==== 2.3 Communicate security effectively throughout the organization ====
Teams need a channel to ask security questions, discuss concerns and share techniques. CloudSec FoxSec must organize information flow and broadcast to developers, ops and managers. This includes general security best practices, analyzis and actions to take on CVE vulnerabilities, response and communication on incidents.
==== 2.4 Use Mozilla’s bug bounty program ====
==== 3.1 Sign data that changes the configuration of user agents ====
We iterate fast, and eventually someone, either us or a partner, is bound to make a mistake and open a door that could put our users at risk. Signing the data we send to our users helps cover that risk. Digital signature for Firefox is a complex topic - not every project can implement it independently - so cloudsec foxsec must provide the tooling and services to facilitate signing ([autograph](https://github.com/mozilla-services/autograph))
==== 3.2 Monitor our ecosystem for external threats ====
== Sites and Services ==
(note: cloudsec foxsec is not responsible for the security of implementations in firefox, only of the backend services).
=== ABSearch ===
* receiptcheck.marketplace.firefox.com
* static.marketplace.firefox.com
In Bounty Scope? Yes
Code:
* [https://github.com/mozilla/normandy normandy]
Public Endpoints: TBD
=== Telemetry ===
Code:
* [https://github.com/mozilla/telemetry-server telemetry-server](deprecated moving to [https://github.com/mozilla/telemetry-analysis-service telemetry-analysis-service])
* [https://github.com/mozilla/telemetry-dashboard/ telemetry-dashboard]
