Confirmed users
529
edits
Security/FirefoxOperations: Difference between revisions
Jump to navigation
Jump to search
no edit summary
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
= Firefox Services & Operations Security = | = Firefox Services & Operations Security = | ||
The | The FoxSec team is tasked with securing core Firefox services operated by the Firefox Services Engineering and Operations organization at Mozilla. | ||
[[File:Foxsec1024.png| | [[File:Foxsec1024.png|400px|right]] | ||
== Contact == | == Contact == | ||
| Line 30: | Line 30: | ||
|- | |- | ||
| style="background-color: #d04437;"| | | style="background-color: #d04437;"| | ||
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.1+TDS" <span style="color:white;" | [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.1+TDS" <span style="color:white;">'''4 MEDIUM'''<br />'''5 LOW'''<br /></span>] | ||
| style="background-color: #d04437;"| | | style="background-color: #d04437;"| | ||
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.2+fraud+detection" <span style="color:white;">'''2 HIGH'''<br />''' | [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.2+fraud+detection" <span style="color:white;">'''2 HIGH'''<br />'''3 MEDIUM'''<br />'''5 LOW'''<br /></span>] | ||
| style="background-color: # | | style="background-color: #ffd351;"| | ||
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.3+identity+management" <span style="color: | [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.3+identity+management" <span style="color:black;">'''1 HIGH'''<br />'''2 MEDIUM'''<br /></span>] | ||
| style="background-color: #d04437;"| | | style="background-color: #d04437;"| | ||
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.4+infra+hardening" <span style="color:white;">''' | [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.4+infra+hardening" <span style="color:white;">'''7 MEDIUM'''<br />'''8 LOW'''<br /></span>] | ||
| style="background-color: #4a6785;"| | | style="background-color: #4a6785;"| | ||
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.2+monitor+external+threats" <span style="color:white;">'''1 LOW'''<br /></span>] | [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.2+monitor+external+threats" <span style="color:white;">'''1 LOW'''<br /></span>] | ||
| Line 57: | Line 57: | ||
External audits | External audits | ||
|- | |- | ||
| style="background-color: #ffd351;"| | |||
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.1+risk+assessment" <span style="color:black;">'''3 MEDIUM'''<br />'''3 LOW'''<br /></span>] | |||
| style="background-color: #d04437;"| | | style="background-color: #d04437;"| | ||
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.2+appsec+baseline" <span style="color:white;">'''2 HIGH'''<br />'''8 MEDIUM'''<br />'''6 LOW'''<br /></span>] | |||
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.2+appsec+baseline" <span style="color:white;">''' | |||
| style="background-color: #ffd351;"| | | style="background-color: #ffd351;"| | ||
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.1+signature" <span style="color:black;">'''2 MEDIUM'''<br />''' | [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.1+signature" <span style="color:black;">'''2 HIGH'''<br />'''1 MEDIUM'''<br />'''1 LOW'''<br /></span>] | ||
| style="background-color: #ffd351;"| | | style="background-color: #ffd351;"| | ||
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.3+security+communication" <span style="color:black;" | [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.3+security+communication" <span style="color:black;">'''1 MEDIUM'''<br />'''6 LOW'''<br /></span>] | ||
| style="background-color: #4a6785;"| | | style="background-color: #4a6785;"| | ||
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.4+bug+bounty" <span style="color:white;">''' | [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.4+bug+bounty" <span style="color:white;">'''2 LOW'''<br /></span>] | ||
| style="background-color: # | | style="background-color: #ffd351;"| | ||
[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.3+external+audits" <span style="color: | [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.3+external+audits" <span style="color:black;">'''1 HIGH'''<br />'''1 MEDIUM'''<br />'''1 LOW'''<br /></span>] | ||
|} | |} | ||
== Strategy == | == Strategy == | ||
=== 1. Improve operational security of the core infrastructure === | === 1. Improve operational security of the core infrastructure === | ||
| Line 190: | Line 189: | ||
* [ ] X-Frame-Options | * [ ] X-Frame-Options | ||
* [ ] X-XSS-Protection | * [ ] X-XSS-Protection | ||
* [ ] Host user uploaded content on a separate domain (e.g. FxA avatar images on firefoxcontent.com, bug attachments on bug<bug ID>.bmoattachments.org) | |||
Data rules | Data rules | ||
| Line 215: | Line 215: | ||
Public Endpoints: | Public Endpoints: | ||
* search.services.mozilla.com | * search.services.mozilla.com | ||
=== Addons.mozilla.org === | === Addons.mozilla.org === | ||
| Line 235: | Line 233: | ||
* versioncheck-bg.addons.mozilla.org | * versioncheck-bg.addons.mozilla.org | ||
* versioncheck.addons.mozilla.org | * versioncheck.addons.mozilla.org | ||
=== Product Delivery === | === Product Delivery === | ||
| Line 244: | Line 240: | ||
* download-installer.cdn.mozilla.net | * download-installer.cdn.mozilla.net | ||
* download.mozilla.org | * download.mozilla.org | ||
=== AUS/Balrog === | === AUS/Balrog === | ||
| Line 256: | Line 250: | ||
* aus.mozilla.org | * aus.mozilla.org | ||
=== Crash reports (Socorro) === | |||
Code: https://github.com/mozilla/socorro/ | |||
Public Endpoints: | |||
* crash-reports-xpsp2.mozilla.com | |||
* crash-reports.mozilla.com | |||
* crash-stats.mozilla.com | |||
=== Firefox Accounts === | === Firefox Accounts === | ||
| Line 273: | Line 273: | ||
* profile.accounts.firefox.com | * profile.accounts.firefox.com | ||
* verifier.accounts.firefox.com | * verifier.accounts.firefox.com | ||
=== Firefox Sync === | === Firefox Sync === | ||
| Line 284: | Line 282: | ||
* *.$region.sync.services.mozilla.com | * *.$region.sync.services.mozilla.com | ||
* token.services.mozilla.com | * token.services.mozilla.com | ||
=== Location (MLS) === | === Location (MLS) === | ||
| Line 304: | Line 291: | ||
* location.services.mozilla.com | * location.services.mozilla.com | ||
* location-leaderboard.services.mozilla.com | * location-leaderboard.services.mozilla.com | ||
=== Marketplace.firefox.com === | === Marketplace.firefox.com === | ||
| Line 314: | Line 299: | ||
* receiptcheck.marketplace.firefox.com | * receiptcheck.marketplace.firefox.com | ||
* static.marketplace.firefox.com | * static.marketplace.firefox.com | ||
=== Push === | === Push === | ||
| Line 326: | Line 309: | ||
* updates.push.services.mozilla.com | * updates.push.services.mozilla.com | ||
=== Firefox Settings (Kinto) === | |||
Code: https://github.com/Kinto/kinto | |||
Public Endpoints: | |||
* firefox.settings.services.mozilla.com | |||
=== Pageshot === | |||
Code: https://github.com/mozilla-services/pageshot/ | |||
Public Endpoints: pageshot.net | |||
=== Shield / Normandy === | === Shield / Normandy === | ||
Code: | Code: | ||
* [https://github.com/mozilla/normandy normandy] | * [https://github.com/mozilla/normandy normandy] | ||
Public Endpoints: self-repair.mozilla.org | |||
=== Telemetry === | === Telemetry === | ||
| Line 354: | Line 337: | ||
* sql.telemetry.mozilla.org | * sql.telemetry.mozilla.org | ||
* metrics.services.mozilla.com | * metrics.services.mozilla.com | ||
=== Test Pilot === | === Test Pilot === | ||
| Line 363: | Line 344: | ||
* http://testpilot.firefox.com/ | * http://testpilot.firefox.com/ | ||
=== Tiles/Pingcenter === | |||
=== Tiles === | |||
Code: [https://github.com/mozilla/splice splice] | Code: [https://github.com/mozilla/splice splice] | ||
| Line 371: | Line 350: | ||
* tiles.cdn.mozilla.net | * tiles.cdn.mozilla.net | ||
* tiles.services.mozilla.com | * tiles.services.mozilla.com | ||
=== TLS Observatory === | === TLS Observatory === | ||
| Line 379: | Line 356: | ||
Public Endpoints: | Public Endpoints: | ||
* tls-observatory.services.mozilla.com | * tls-observatory.services.mozilla.com | ||
=== Tracking Protection === | === Tracking Protection === | ||
| Line 388: | Line 363: | ||
* shavar.services.mozilla.com | * shavar.services.mozilla.com | ||
* tracking.services.mozilla.com | * tracking.services.mozilla.com | ||