Changes

Security/FirefoxOperations

76 bytes added, 17:50, 30 March 2017

no edit summary

The table below summarizes the open issues assigned to the FoxSec team, sorted by area of focus.

=== Operational Security ===

{| class="wikitable"

Threat monitoring

|-

| style="background-color: #ffd351;"|

[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.1+TDS" '''3 MEDIUM''' '''5 LOW''' ]

| style="background-color: #d04437;"|

~~[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.1+TDS" '''4 MEDIUM''' '''5 LOW''' ]| style="background-color: #d04437;"|~~[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.2+fraud+detection" '''2 HIGH''' '''3 2 MEDIUM''' '''5 3 LOW''' ]

| style="background-color: #ffd351;"|

[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.3+identity+management" '''1 HIGH''' '''2 1 MEDIUM''' ]

| style="background-color: #d04437;"|

[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.4+infra+hardening" '''7 4 MEDIUM''' '''8 5 LOW''' ] | style="background-color: #~~4a6785~~cccccc;"|~~[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.2+monitor+external+threats" '''1 LOW''' ]~~ no pending task

|}

External audits

|-

~~| style="background-color: #ffd351;"|~~

~~[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.1+risk+assessment" '''3 MEDIUM''' '''3 LOW''' ]~~

| style="background-color: #d04437;"|

[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.1+risk+assessment" '''2 HIGH''' '''4 MEDIUM''' '''3 LOW''' ]| style="background-color: #d04437;"|[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.2+appsec+baseline" '''2 HIGH''' '''8 10 MEDIUM''' '''6 7 LOW''' ]

| style="background-color: #ffd351;"|

[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.1+signature" '''2 1 HIGH''' '''1 MEDIUM''' '''1 LOW''' ]

| style="background-color: #ffd351;"|

[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.3+security+communication" '''1 MEDIUM''' '''6 LOW''' ]

[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.4+bug+bounty" '''2 LOW''' ]

| style="background-color: #ffd351;"|

[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.3+external+audits" '''1 HIGH''' '''1 MEDIUM~~''' '''1 LOW~~''' ]

|}

* [ ] Use [NSP](https://nodesecurity.io/) or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications

* [ ] Use pip --outdated or [requires.io](https://requires.io/) for Python applications

* [ ] If handling cryptographic keys, must have a mechanism to handle ~~monthly~~ quarterly key rotations (**APP-KEYROT**) * [ ] All keys must be rotated quarterly. * Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable ~~during~~in case of emergency.* [ ] Applications must use accounts with limited GRANTS when connecting to databases (**APP-DBPRIV**) * In particular, applications **must not use admin or owner accounts**, to decrease the impact of a sql injection vulnerability.

### Additional websites requirements

Ulfr

Confirm

529

edits

Changes

Security/FirefoxOperations

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools