Confirmed users
529
edits
Security/FirefoxOperations: Difference between revisions
Jump to navigation
Jump to search
Security/FirefoxOperations (view source)
Revision as of 16:27, 13 September 2018
, 13 September 2018no edit summary
No edit summary |
No edit summary |
||
| Line 95: | Line 95: | ||
* The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code. | * The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code. | ||
* [ ] enable security scanning of 3rd-party libraries and dependencies | * [ ] enable security scanning of 3rd-party libraries and dependencies | ||
* Use [` | * Use [`npm audit`](https://docs.npmjs.com/cli/audit) for node.js (see usage in [FxA](https://github.com/mozilla-services/screenshots/search?utf8=%E2%9C%93&q=npm%20audit&type=)) (NB: there are [open](https://github.com/mozilla-services/screenshots/issues/4803) [issues](https://github.com/mozilla/fxa/issues/303) for handling exceptions) | ||
* For Python, enable pyup security updates: | * For Python, enable pyup security updates: | ||
* Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml) | * Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml) | ||
| Line 104: | Line 104: | ||
* notify secops@mozilla.com to enable the integration in pyup | * notify secops@mozilla.com to enable the integration in pyup | ||
* [ ] Keep 3rd-party libraries up to date (in addition to the security updates) | * [ ] Keep 3rd-party libraries up to date (in addition to the security updates) | ||
* For NodeJS applications, use [renovate](https://renovateapp.com/) or [GreenKeeper](https://greenkeeper.io/ | * For NodeJS applications, use [renovate](https://renovateapp.com/) or [GreenKeeper](https://greenkeeper.io/) | ||
* For Python, use ``pip list --outdated`` or [requires.io](https://requires.io/) or pyup outdated checks | * For Python, use ``pip list --outdated`` or [requires.io](https://requires.io/) or pyup outdated checks | ||
* For Rust, use `cargo update` and [cargo upgrade](https://github.com/killercup/cargo-edit#cargo-upgrade) when changing versions | * For Rust, use `cargo update` and [cargo upgrade](https://github.com/killercup/cargo-edit#cargo-upgrade) when changing versions | ||
| Line 124: | Line 124: | ||
* Access control failures must be logged at WARN level | * Access control failures must be logged at WARN level | ||
Web Applications | |||
---------------- | ---------------- | ||
* [ ] Must have a CSP with | * [ ] Must have a CSP with | ||
| Line 131: | Line 131: | ||
* [ ] if default-src is not `none`, frame-src, and object-src should be `none` or only allow specific origins | * [ ] if default-src is not `none`, frame-src, and object-src should be `none` or only allow specific origins | ||
* [ ] no use of unsafe-inline or unsafe-eval in script-src, style-src, and img-src | * [ ] no use of unsafe-inline or unsafe-eval in script-src, style-src, and img-src | ||
* [ ] Third-party javascript must be pinned to specific versions using [Subresource Integrity (SRI)](https://infosec.mozilla.org/guidelines/web_security#subresource-integrity) | |||
* [ ] Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s | * [ ] Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s | ||
* [ ] Set the Secure and HTTPOnly flags on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration | * [ ] Set the Secure and HTTPOnly flags on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration | ||