Confirm
529
edits
Changes
→Security Checklist
<source lang:markdown>
Risk Management
---------------
* [ ] The service must have performed a Rapid Risk Assessment and have a Risk Record bug * [ ] Public staging and production endpoints must be added to the [security baseline](**SVChttps://github.com/mozilla-RRA**services/foxsec/blob/master/services/README.md).
Infrastructure rules--------------------
* [ ] Access and application logs must be archived for a minimum of 90 days
* [ ] Use [Modern](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) or [Intermediate](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility) TLS (**INFRA-TLS**)* [ ] Set HSTS to 31536000 (1 year) (**INFRA-HSTS**)
* `strict-transport-security: max-age=31536000`
* [ ] Set HPKP to 5184000 (60 days) (**INFRA-HPKP**)
* `Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";`
* Start with max-age set to 5 minutes (`max-age=300`) and increase progressively
* [ ] If the service is not hosted under `services.mozilla.com`, it must be manually added to [Firefox's preloaded pins](https://dxr.mozilla.org/mozilla-central/source/security/manager/tools/PreloadedHPKPins.json#184).
* If service has an admin panels, it must:
* [ ] only be available behind Mozilla VPN (which provides MFA) (**INFRA-ADMINVPN**) * [ ] require LDAP Auth0 authentication (**INFRA-ADMINLDAP**) * [ ] enforce a two-man rule on sensitive changes (**INFRA-2MANRULE**)
* Developers should [configure git to sign all tags](http://micropipes.com/blog//2016/08/31/signing-your-commits-on-github-with-a-gpg-key/) and upload their PGP fingerprint to https://login.mozilla.com
* The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code.
* [ ] Publish detailed logs in [mozlog](https://github.com/mozilla-services/Dockerflow/blob/master/docs/mozlog.md) format (**APP-MOZLOG**) * Business logic must be logged with app specific codes (errno) * Access control failures must be logged at WARN level* [ ] Must have a CSP with (**APP-CSP**) * [ ] a report-uri pointing to the service's own `/__cspreport__` endpoint * [ ] web APIs should set `default-src` to `none`, disallowing all content rendering * [ ] if default-src is not `self`, frame-src and object-src should be `none` or only allow specific origins * [ ] no use of unsafe-inline or unsafe-eval* [ ] User data must be escaped for the right context prior to reflecting it (**APP-ESCAPE**)* [ ] Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s (**APP-NOHTML**)* [ ] All SQL queries must be parameterized, not concatenated (**APP-SQL**)* [ ] Apply sensible limits to user inputs, see [input validation](https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation) (**APP-INPUTVAL**)* [ ] When managing permissions, make sure access controls are enforced server-side (**APP-ACL**)* [ ] Set the Secure and HTTPOnly flags on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration (**APP-SECCOOKIE**)* Keep 3rd-party libraries up to date (**APP-DEPS**) * [ ] Use [NSP](https://nodesecurity.io/) or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications * [ ] For Python applications, enable pyup security updates:
* Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml)
* Add https://github.com/mozsvcpyup as a collaborator to your repo
* Notify secops@mozilla.com to enable the integration in pyup
* Consider using ``pip list --outdated`` or [requires.io](https://requires.io/) too
* [ ] Integrate static code analysis in CI, and avoid merging code with issues * Javascript applications should use ESLint with the [Mozilla ruleset](https://developer.mozilla.org/en-US/docs/ESLint) * Python applications should use [Bandit](https://github.com/openstack/bandit) * Go applications should use the [Go Meta Linter](https://github.com/alecthomas/gometalinter) * Use whitelisting mechanisms in these tools to deal with false positives Dual Sign Off------------* [ ] Services that push data to Firefox clients must require a dual sign off on every change, implemented in their admin panels * This mechanism must be reviewed and approved by the Firefox Operations Security team before being enabled in production Logging-------* [ ] Publish detailed logs in [mozlog](https://github.com/mozilla-services/Dockerflow/blob/master/docs/mozlog.md) format (**APP-MOZLOG**) * Business logic must be logged with app specific codes (see [FxA](https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md#defined-errors)) * Access control failures must be logged at WARN level Security Headers----------------* [ ] Must have a CSP with * [ ] a report-uri pointing to the service's own `/__cspreport__` endpoint * [ ] web API responses should return `default-src 'none'; frame-ancestors 'none'; base-uri 'none'; report-uri /__cspreport__` to disallowing all content rendering, framing, and report violations * [ ] if default-src is not `none`, frame-src, and object-src should be `none` or only allow specific origins * [ ] no use of unsafe-inline or unsafe-eval in script-src, style-src, and img-src* [ ] Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s* [ ] Set the Secure and HTTPOnly flags on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration* [ ] Make sure your application gets an A+ on the [Mozilla Observatory](https://observatory.mozilla.org/)* [ ] Verify your application doesn't have any failures on the [Security Baseline](https://github.com/mozilla-services/foxsec/blob/master/tools/baseline-scan/results/Baseline-Services.md). * Contact secops@ or ping 'psiinon' on github to document exceptions to the baseline, mark csrf exempt forms, etc.* [ ] Web APIs should export an OpenAPI (Swagger) to facilitate automated vulnerability tests Databases---------* [ ] All SQL queries must be parameterized, not concatenated* [ ] Applications must use accounts with limited GRANTS when connecting to databases * In particular, applications **must not use admin or owner accounts**, to decrease the impact of a sql injection vulnerability. Common issues-------------* [ ] User data must be [escaped for the right context](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary) prior to reflecting it * When inserting user generated html into an html context: * Python applications should use [Bleach](https://github.com/mozilla/bleach) * Javascript applications should use [DOMPurify](https://github.com/cure53/DOMPurify/)* [ ] Apply sensible limits to user inputs, see [input validation](https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation) * POST body size should be small (<500kB) unless explicitely needed* [ ] When managing permissions, make sure access controls are enforced server-side* [ ] If handling cryptographic keys, must have a mechanism to handle quarterly key rotations (**APP-KEYROT**)
* Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable in case of emergency.
* [ ] Applications must use accounts with limited GRANTS when connecting to databases Do not proxy requests from users without strong limitations and filtering (see [Pocket UserData vulnerability](**APPhttps://www.gnu.gl/blog/Posts/multiple-vulnerabilities-in-DBPRIV**pocket/)) * In particular, applications **must not use admin or owner accounts**, . Don't proxy requests to decrease the impact of a sql injection vulnerability.* [ ] forklink local, execloopback, subprocess, child_process, etc. calls passing user input to a binary should be [sandboxedor private networks](https://githuben.wikipedia.comorg/wiki/mozilla-servicesReserved_IP_addresses#IPv4) or DNS that resolves to addresses in those ranges (i.e. 169.254.0.0/foxsec16, 127.0.0.0/blob8, 10.0.0.0/master8, 100.64.0.0/docs10, 172.16.0.0/sandbox12, 192.md168.0.0/16, 198.18.0.0/15).
