https://wiki.mozilla.org/index.php?action=history&feed=atom&title=Security%2FProcess%2FVendor_Reviews%2FReview_Questions 2026-04-06T22:30:46Z Revision history for this page on the wiki MediaWiki 1.39.10 https://wiki.mozilla.org/index.php?title=Security/Process/Vendor_Reviews/Review_Questions&diff=843058&oldid=prev 2013-12-31T16:43:24Z

<p>Created page with &quot;=&#039;&#039;&#039;Security Assurance Vendor Review Request&#039;&#039;&#039;= == Review Questions == The following basic questions are used to begin the security assessment of a particular vendor that wi...&quot;</p> <p><b>New page</b></p><div>=&#039;&#039;&#039;Security Assurance Vendor Review Request&#039;&#039;&#039;=<br /> == Review Questions ==<br /> <br /> The following basic questions are used to begin the security assessment of a particular vendor that will interact with Mozilla.<br /> <br /> #Overall<br /> #*Please describe the overall purpose of the system and how Mozilla data will be integrated<br /> #Security Management<br /> #*Have you performed internal security audits of your code or application that, at a minimum, addressed the OWASP Top 10? If so, please provide a description of the review and results.<br /> #*Has a security audit been performed by an external third party? If so, who performed this audit and are the results available?<br /> #*How do you protect Mozilla data that will be stored on your servers or within your applications?<br /> #*How do you prevent other customers of your service from obtaining access to data provided by Mozilla?<br /> #*What is your disclosure policy to customers in the event of a compromise of your servers, applications or any related infrastructure that interacts with the applications holding Mozilla data?<br /> #*Have you suffered a security compromise in the past 24 months? If so, please provide details and remediation that occurred as a result.<br /> #*What other large engagements/clients have you supported with this application?<br /> #Technical Design<br /> #*Do you support full SSL communication for all inbound and outbound communications?<br /> #*Describe the technology stack of the application and infrastructure.<br /> #*What options do your support for authentication?<br /> #**username/password<br /> #**certificate based authentication<br /> #**secret token<br /> #*Are authentication secrets (e.g. passwords) stored in a non-reversible form within your database (e.g. hashing)?<br /> #* What type of hashing algorithm do you use (e.g. sha512, md5, bcrypt)?<br /> #* Are salts added to the hashing algorithm which are unique for each user? <br /> #* Will user passwords (or authentication secrets) be available to any other users via any functionality (example, admin users can see clear text passwords of users)?<br /> #*Do you use third party servers or do you host the servers yourself?<br /> #*Do you use any third party services or communicate with any third parties from this application?<br /> #Security Verification<br /> #*Will testing of the running application be possible?<br /> #*Will source code for their application be available?<br /> #*Do you have attestation reports from any other vendors regarding your security posture?<br /> #*Do you have any other security certifications that may be relevant?</div>

Curtisk