Security/FirefoxOperations: Difference between revisions

Security/FirefoxOperations (view source)

Revision as of 17:50, 30 March 2017

76 bytes added , 30 March 2017

no edit summary

Ulfr

Confirmed users

529

edits

@@ Line 15: / Line 15: @@
 The table below summarizes the open issues assigned to the FoxSec team, sorted by area of focus.
+=== Operational Security ===
 === Operational Security ===
 {| class="wikitable"
@@ Line 29: / Line 30: @@
 Threat monitoring
 |-
+| style="background-color: #ffd351;"|
+[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.1+TDS&quot; <span style="color:black;">'''3 MEDIUM'''<br />'''5 LOW'''<br /></span>]
 | style="background-color: #d04437;"|
-[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.1+TDS&quot; <span style="color:white;">'''4 MEDIUM'''<br />'''5 LOW'''<br /></span>]
+[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.2+fraud+detection&quot; <span style="color:white;">'''2 HIGH'''<br />'''2 MEDIUM'''<br />'''3 LOW'''<br /></span>]
-| style="background-color: #d04437;"|
-[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.2+fraud+detection&quot; <span style="color:white;">'''2 HIGH'''<br />'''3 MEDIUM'''<br />'''5 LOW'''<br /></span>]
 | style="background-color: #ffd351;"|
-[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.3+identity+management&quot; <span style="color:black;">'''1 HIGH'''<br />'''2 MEDIUM'''<br /></span>]
+[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.3+identity+management&quot; <span style="color:black;">'''1 HIGH'''<br />'''1 MEDIUM'''<br /></span>]
 | style="background-color: #d04437;"|
-[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.4+infra+hardening&quot; <span style="color:white;">'''7 MEDIUM'''<br />'''8 LOW'''<br /></span>]
+[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.4+infra+hardening&quot; <span style="color:white;">'''4 MEDIUM'''<br />'''5 LOW'''<br /></span>]
-| style="background-color: #4a6785;"|
+| style="background-color: #cccccc;"|no pending task
-[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;3.2+monitor+external+threats&quot; <span style="color:white;">'''1 LOW'''<br /></span>]
 |}
@@ Line 57: / Line 57: @@
 External audits
 |-
-| style="background-color: #ffd351;"|
-[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;2.1+risk+assessment&quot; <span style="color:black;">'''3 MEDIUM'''<br />'''3 LOW'''<br /></span>]
 | style="background-color: #d04437;"|
-[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;2.2+appsec+baseline&quot; <span style="color:white;">'''2 HIGH'''<br />'''8 MEDIUM'''<br />'''6 LOW'''<br /></span>]
+[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;2.1+risk+assessment&quot; <span style="color:white;">'''2 HIGH'''<br />'''4 MEDIUM'''<br />'''3 LOW'''<br /></span>]
+| style="background-color: #d04437;"|
+[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;2.2+appsec+baseline&quot; <span style="color:white;">'''2 HIGH'''<br />'''10 MEDIUM'''<br />'''7 LOW'''<br /></span>]
 | style="background-color: #ffd351;"|
-[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;3.1+signature&quot; <span style="color:black;">'''2 HIGH'''<br />'''1 MEDIUM'''<br />'''1 LOW'''<br /></span>]
+[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;3.1+signature&quot; <span style="color:black;">'''1 HIGH'''<br />'''1 MEDIUM'''<br />'''1 LOW'''<br /></span>]
 | style="background-color: #ffd351;"|
 [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;2.3+security+communication&quot; <span style="color:black;">'''1 MEDIUM'''<br />'''6 LOW'''<br /></span>]
@@ Line 68: / Line 68: @@
 [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;2.4+bug+bounty&quot; <span style="color:white;">'''2 LOW'''<br /></span>]
 | style="background-color: #ffd351;"|
-[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;3.3+external+audits&quot; <span style="color:black;">'''1 HIGH'''<br />'''1 MEDIUM'''<br />'''1 LOW'''<br /></span>]
+[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;3.3+external+audits&quot; <span style="color:black;">'''1 HIGH'''<br />'''1 MEDIUM'''<br /></span>]
 |}
@@ Line 174: / Line 174: @@
    * [ ]  Use [NSP](https://nodesecurity.io/) or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications
    * [ ] Use pip --outdated or [requires.io](https://requires.io/) for Python applications
-* [ ] If handling cryptographic keys, must have a mechanism to handle monthly key rotations (**APP-KEYROT**)
+* [ ] If handling cryptographic keys, must have a mechanism to handle quarterly key rotations (**APP-KEYROT**)
-  * [ ] All keys must be rotated quarterly.
+   * Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable in case of emergency.
-   * Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable during.
+* [ ] Applications must use accounts with limited GRANTS when connecting to databases (**APP-DBPRIV**)
+  * In particular, applications **must not use admin or owner accounts**, to decrease the impact of a sql injection vulnerability.
 ### Additional websites requirements

Security/FirefoxOperations: Difference between revisions

Security/FirefoxOperations (view source)

Revision as of 17:50, 30 March 2017

Navigation menu

Search