Confirmed users
1,364
edits
Security/FirefoxOperations: Difference between revisions
Jump to navigation
Jump to search
update to 2018-10-02 revision (c81c8d4c309f734f2ecd0f236f4d94ee84aac0aa)
No edit summary |
(update to 2018-10-02 revision (c81c8d4c309f734f2ecd0f236f4d94ee84aac0aa)) |
||
| Line 90: | Line 90: | ||
* [ ] Ensure your code repository is configured and located appropriately: | * [ ] Ensure your code repository is configured and located appropriately: | ||
* [ ] Application built internally should be hosted in trusted GitHub organizations (mozilla, mozilla-services, mozilla-bteam, mozilla-conduit, mozilla-mobile, taskcluster). Sometimes we build and deploy applications we don't fully control. In those cases, the Dockerfile that builds the application container should be hosted in its own repository in a trusted organization. | * [ ] Application built internally should be hosted in trusted GitHub organizations (mozilla, mozilla-services, mozilla-bteam, mozilla-conduit, mozilla-mobile, taskcluster). Sometimes we build and deploy applications we don't fully control. In those cases, the Dockerfile that builds the application container should be hosted in its own repository in a trusted organization. | ||
* [ ] Secure your repository by implementing [Mozilla's GitHub security standard](https://github.com/mozilla-services/GitHub-Audit/blob/master/checklist.md). | * [ ] Secure your repository by implementing [Mozilla's GitHub security standard](https://github.com/mozilla-services/GitHub-Audit/blob/master/docs/checklist.md). | ||
* [ ] Sign all release tags, and ideally commits as well | * [ ] Sign all release tags, and ideally commits as well | ||
* Developers should [configure git to sign all tags](http://micropipes.com/blog//2016/08/31/signing-your-commits-on-github-with-a-gpg-key/) and upload their PGP fingerprint to https://login.mozilla.com | * Developers should [configure git to sign all tags](http://micropipes.com/blog//2016/08/31/signing-your-commits-on-github-with-a-gpg-key/) and upload their PGP fingerprint to https://login.mozilla.com | ||
* The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code. | * The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code. | ||
* [ ] enable security scanning of 3rd-party libraries and dependencies | * [ ] enable security scanning of 3rd-party libraries and dependencies | ||
* | * For node.js, use [`npm audit`](https://docs.npmjs.com/cli/audit) with [audit-filter](https://github.com/mozilla-services/audit-filter) to handle exception (see example in [speech-proxy](https://github.com/mozilla/speech-proxy/pull/63)) | ||
* For Python, enable pyup security updates: | * For Python, enable pyup security updates: | ||
* Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml) | * Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml) | ||
| Line 135: | Line 135: | ||
* [ ] Set the Secure and HTTPOnly flags on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration | * [ ] Set the Secure and HTTPOnly flags on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration | ||
* [ ] Make sure your application gets an A+ on the [Mozilla Observatory](https://observatory.mozilla.org/) | * [ ] Make sure your application gets an A+ on the [Mozilla Observatory](https://observatory.mozilla.org/) | ||
* [ ] Verify your application doesn't have any failures on the [Security Baseline](https://github.com/mozilla-services/foxsec/blob/master | * [ ] Verify your application doesn't have any failures on the [Security Baseline](https://github.com/mozilla-services/foxsec-results/blob/master/baseline-scan/Baseline-Services.md). | ||
* Contact secops@ or ping 'psiinon' on github to document exceptions to the baseline, mark csrf exempt forms, etc. | * Contact secops@ or ping 'psiinon' on github to document exceptions to the baseline, mark csrf exempt forms, etc. | ||
* [ ] Web APIs should export an OpenAPI (Swagger) to facilitate automated vulnerability tests | * [ ] Web APIs should export an OpenAPI (Swagger) to facilitate automated vulnerability tests | ||