Changes

Security/FirefoxOperations

8,735 bytes removed, 14:41, 29 June 2017

no edit summary

= Firefox ~~Services &~~ Operations Security =~~The FoxSec team is tasked with securing~~ Firefox Operations Security protects the core ~~Firefox~~ services ~~operated by the Firefox Services Engineering~~ and ~~Operations organization at~~ release engineering infrastructures Mozillarelies on to build, ship and run Firefox.

[[File:~~Foxsec1024~~Secops1024.png|400px|right]]

== Contact ==

Email us at ~~foxsec~~secops@mozilla.com.

To report a security issue on a given site, use the bug bounty form [https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/ as explained here].

__TOC__

~~== Backlog ==~~

~~The table below summarizes the open issues assigned to the FoxSec team, sorted by area of focus.~~

~~=== Operational Security ===~~

~~{| class="wikitable"~~

~~|- style="vertical-align:bottom;"~~

~~! style="height:100px; width:200px; text-align:center;" |~~

~~Continuous Testing (TDS)~~

~~! style="height:100px; width:200px; text-align:center;" |~~

~~Fraud Detection~~

~~! style="height:100px; width:200px; text-align:center;" |~~

~~User management~~

~~! style="height:100px; width:200px; text-align:center;" |~~

~~Infra Hardening~~

~~! style="height:100px; width:200px; text-align:center;" |~~

~~Threat monitoring~~

|-

~~| style="background-color: #ffd351;"|~~

~~[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.1+TDS" '''3 MEDIUM''' '''5 LOW''' ]~~

~~| style="background-color: #d04437;"|~~

[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.2+fraud+detection" '''2 HIGH''' '''2 MEDIUM''' '''3 LOW''' ]

~~| style="background-color: #ffd351;"|~~

~~[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.3+identity+management" '''1 HIGH''' '''1 MEDIUM''' ]~~

~~| style="background-color: #d04437;"|~~

~~[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.4+infra+hardening" '''4 MEDIUM''' '''5 LOW''' ]~~

~~| style="background-color: #cccccc;"|no pending task~~

|}

~~=== Application Security ===~~

~~{| class="wikitable"~~

~~|- style="vertical-align:bottom;"~~

~~! style="height:100px; width:200px; text-align:center;" |~~

~~Risk & Security reviews~~

~~! style="height:100px; width:200px; text-align:center;" |~~

~~Test & Implement Baseline Security~~

~~! style="height:100px; width:200px; text-align:center;" |~~

~~Data & Code Signing~~

~~! style="height:100px; width:200px; text-align:center;" |~~

~~Training & Communication~~

~~! style="height:100px; width:200px; text-align:center;" |~~

~~Bug Bounty~~

~~! style="height:100px; width:200px; text-align:center;" |~~

~~External audits~~

|-

~~| style="background-color: #d04437;"|~~

[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.1+risk+assessment" '''2 HIGH''' '''4 MEDIUM''' '''3 LOW''' ]

~~| style="background-color: #d04437;"|~~

[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.2+appsec+baseline" '''2 HIGH''' '''10 MEDIUM''' '''7 LOW''' ]

~~| style="background-color: #ffd351;"|~~

~~[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.1+signature" '''1 HIGH''' '''1 MEDIUM''' '''1 LOW''' ]~~

~~| style="background-color: #ffd351;"|~~

~~[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.3+security+communication" '''1 MEDIUM''' '''6 LOW''' ]~~

~~| style="background-color: #4a6785;"|~~

~~[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.4+bug+bounty" '''2 LOW''' ]~~

~~| style="background-color: #ffd351;"|~~

~~[https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.3+external+audits" '''1 HIGH''' '''1 MEDIUM''' ]~~

|}

== Strategy ==

* Admin panels should rely on Mozilla's Identity Management platform provided by IT

* Third-party services (datadog, pagerduty, aws) should have automated user management (userplex).

~~foxsec~~ secops need to facilitate integration with Mozilla's IAM with standard libraries and tools.

==== 1.4 Harden the infrastructure ====

==== 2.1 Help new projects identify threats and controls (RRA, threat models,...) ====

Risk assessment and threat modeling help people think through failure scenarios they wouldn’t evaluate otherwise. RRAs often leads to architectural changes that are best identified early. Each new project must undergo a 30/60min RRA with one of the member of ~~foxsec~~ secops to assess the security posture of the project.

==== 2.2 Implement baseline services security standards ====

Content Security Policy (CSP), HSTS, HPKP, data signature and encryption, input validation, XSS and SQLi protection are part of techniques developers should care about when building new services. ~~foxsec~~ secops defines services security standards that devs can implement and ~~foxsec~~ tests in TDS.

==== 2.3 Communicate security effectively throughout the organization ====

Teams need a channel to ask security questions, discuss concerns and share techniques. ~~FoxSec~~ secops must organize information flow and broadcast to developers, ops and managers. This includes general security best practices, analyzis and actions to take on CVE vulnerabilities, response and communication on incidents.

==== 2.4 Use Mozilla’s bug bounty program ====

==== 3.1 Sign data that changes the configuration of user agents ====

We iterate fast, and eventually someone, either us or a partner, is bound to make a mistake and open a door that could put our users at risk. Signing the data we send to our users helps cover that risk. Digital signature for Firefox is a complex topic - not every project can implement it independently - so ~~foxsec~~ secops must provide the tooling and services to facilitate signing ([autograph](https://github.com/mozilla-services/autograph))

==== 3.2 Monitor our ecosystem for external threats ====

* [ ] a report-uri pointing to the service's own `/__cspreport__` endpoint

* [ ] web APIs should set `default-src` to `none`, disallowing all content rendering

* [ ] if default-src is not `self`, frame-src and object-src should be `none` or only allow specific origins

* [ ] no use of unsafe-inline or unsafe-eval

* [ ] User data must be escaped for the right context prior to reflecting it (**APP-ESCAPE**)

* [ ] Set the Secure and HTTPOnly flags on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration (**APP-SECCOOKIE**)

* Keep 3rd-party libraries up to date (**APP-DEPS**)

* [ ] Use [NSP](https://nodesecurity.io/) or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications * [ ] ~~Use~~ For Python applications, enable pyup security updates: * Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml) * Add https://github.com/mozsvcpyup as a collaborator to your repo * Notify secops@mozilla.com to enable the integration in pyup * Consider using pip --outdated or [requires.io](https://requires.io/) ~~for Python applications~~too

* [ ] If handling cryptographic keys, must have a mechanism to handle quarterly key rotations (**APP-KEYROT**)

* Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable in case of emergency.

* [ ] Applications must use accounts with limited GRANTS when connecting to databases (**APP-DBPRIV**)

* In particular, applications **must not use admin or owner accounts**, to decrease the impact of a sql injection vulnerability.

* [ ] fork, exec, subprocess, child_process, etc. calls passing user input to a binary should be [sandboxed](https://github.com/mozilla-services/foxsec/blob/master/docs/sandbox.md)

~~### Additional websites requirements~~

~~The following coding rules only apply to websites, not web apis.~~

* [ ] Never store passwords, use Firefox Accounts (**APP-IDP**)

* [ ] Forbid Mixed content, always use HTTPS (**APP-MIXCONTENT**)

* [ ] Must have CSRF tokens and manually excluded specific forms (**APP-CSRF**)

* [ ] Should consider having checksums for 3rd-party content via SRI (**APP-SRI**).

* Trusted 3rd parties, like Google Analytics, don't need SRI. Use your best judgment to decide if a 3rd party script is trustworthy (and assume it is not).

* Set the following security headers (**APP-HEADERS**)

* [ ] X-Content-Type-Options

* [ ] X-Frame-Options

* [ ] X-XSS-Protection

* [ ] Host user uploaded content on a separate domain (e.g. FxA avatar images on firefoxcontent.com, bug attachments on bug<bug ID>.bmoattachments.org)

* [ ] Forbid the use of third party resources (GA, optimizely, ...) on sites that have privileges permissions in Firefox (AMO, testpilot)

~~Data rules~~

~~----------~~

* When storing sensitive user data (like browsing history) on Mozilla servers:

* [ ] Anonymize it (similar to Tiles) (**DATA-ANON**)

* [ ] Encrypt it client-side (similar to Sync) (**DATA-CRYPT**)

* [ ] If user data must be stored non-anonymized and in clear text, you must talk to the security and legal teams about it.

* If the service pushes data to Firefox, like when distributing blacklists or pushing updates, cryptographic signatures must be used. (**DATA-SIGN**)

* [ ] Addons must use standard AMO signing (**APP-SIGNING**)

* [ ] Code & Conf must use Content-Signature via [Autograph](https://github.com/mozilla-services/autograph) (**DATA-SIGNING**)

</source>

== ~~Sites and Services ==~~ ~~FoxSec is responsible for the security of~~ About the ~~following websites and backend services.~~ ~~(note: foxsec is not responsible for the security of implementations in firefox, only of the backend services).~~ ~~=== ABSearch ===Code: [https://github.com/mozilla-services/absearch absearch]~~ ~~Public Endpoints:~~* search.services.mozilla.com ~~=== Addons.mozilla.org ===Code:~~* [https://github.com/mozilla/addons-frontend addons-frontend]* [https://github.com/mozilla/addons-server/ addons-server]* [https://github.com/mozilla/addons-linter addons-linter] ~~Public Endpoints:~~* addon.mozilla.org* addons.mozilla.org* blocklist.addons.mozilla.org* builder.addons.mozilla.org* controller-review.apk.firefox.com* controller.apk.firefox.com* services.addons.mozilla.org* static.addons.mozilla.net* versioncheck-bg.addons.mozilla.org* versioncheck.addons.mozilla.org ~~=== Product Delivery ===Code: [https://github.com/mozilla-services/go-bouncer go-bouncer]~~ ~~Public Endpoints:~~* download-installer.cdn.mozilla.net* download.mozilla.org ~~=== AUS/Balrog ===Code: [https://github.com/mozilla/balrog/ balrog]~~ ~~Public Endpoints:~~* aus3.mozilla.org* aus4.mozilla.org* aus5.mozilla.org* aus.mozilla.org ~~=== Crash reports (Socorro) ===Code: https://github.com/mozilla/socorro/~~ ~~Public Endpoints:~~* crash-reports-xpsp2.mozilla.com* crash-reports.mozilla.com* crash-stats.mozilla.com ~~=== Firefox Accounts ===Code:~~* [https://github.com/mozilla/fxa fxa]* [https://github.com/mozilla/fxa-auth-server fxa-auth-server]* [https://github.com/mozilla/fxa-content-server fxa-content-server]* [https://github.com/mozilla/fxa-js-client fxa-js-client]* [https://github.com/mozilla/fxa-oauth-server fxa-oauth-server]* [https://github.com/mozilla/fxa-customs-server/ fxa-customs-server] ~~Public Endpoints:~~* accounts.firefox.com* api.accounts.firefox.com* oauth.accounts.firefox.com* profile.accounts.firefox.com* verifier.accounts.firefox.com ~~=== Firefox Sync ===Code:~~* [https://github.com/mozilla-services/syncserver syncserver]* [https://github.com/mozilla-services/tokenserver tokenserver] ~~Public Endpoints:~~* *.$region.sync.services.mozilla.com* token.services.mozilla.com ~~=== Location (MLS) ===Code:~~* [https://github.com/mozilla/ichnaea ichnaea]* [https://github.com/mozilla-services/location-leaderboard location-leaderboard] ~~Public Endpoints:~~* location.services.mozilla.com* location-leaderboard.services.mozilla.com ~~=== Marketplace.firefox.com ===Code: [https://github.com/mozilla/zamboni zamboni]~~ ~~Public Endpoints:~~* marketplace.firefox.com* receiptcheck.marketplace.firefox.com* static.marketplace.firefox.com ~~=== Push ===Code:~~* [https://github.com/mozilla-services/autopush autopush]* [https://github.com/mozilla-services/push-dev-dashboard push-dev-dashboard] ~~Public Endpoints:~~* push.services.mozilla.com* updates.push.services.mozilla.com ~~=== Firefox Settings (Kinto) ===Code: https://github.com/Kinto/kinto~~ ~~Public Endpoints:~~* firefox.settings.services.mozilla.com ~~=== Pageshot ===Code: https://github.com/mozilla-services/pageshot/~~ ~~Public Endpoints: pageshot.net~~ ~~=== Shield / Normandy ===Code:~~* [https://github.com/mozilla/normandy normandy] ~~Public Endpoints: self-repair.mozilla.org~~ ~~=== Telemetry ===Code:~~* [https://github.com/mozilla/telemetry-server telemetry-server] (deprecated moving to [https://github.com/mozilla/telemetry-analysis-service telemetry-analysis-service])* [https://github.com/mozilla/telemetry-dashboard/ telemetry-dashboard] ~~Public Endpoints:~~* incoming.telemetry.mozilla.org* telemetry-experiment.cdn.mozilla.net* analysis.telemetry.mozilla.org* sql.telemetry.mozilla.org* metrics.services.mozilla.com ~~=== Test Pilot ===Code: [https://github.com/mozilla/testpilot testpilot]~~ ~~Public Endpoints:~~* http://testpilot.firefox.com/ ~~=== Tiles/Pingcenter ===Code: [https://github.com/mozilla/splice splice]~~ ~~Public Endpoints:~~* tiles.cdn.mozilla.net* tiles.services.mozilla.com ~~=== TLS Observatory ===Code: [https://github.com/mozilla/tls-observatory tls-observatory]~~ ~~Public Endpoints:~~* tls-observatory.services.mozilla.com ~~=== Tracking Protection =~~logo ==~~Code: [https://github.com/mozilla-services/shavar shavar]~~

~~Public Endpoints~~The Firefox Operations Security logo is derived [https:* shavar.services.mozilla//github.com* tracking/synthagency/icons-flat-osx/blob/master/SVG/Apps-Firefox.~~services~~svg from this work by Synth Agency], and published under Creative Commons Attribution-NonCommercial 4.~~mozilla~~0 International Public License.~~com~~

Ulfr

Confirm

529

edits

Changes

Security/FirefoxOperations

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools