Am I in the right place?

An Infrastructure Security review is required for any new Mozilla web application before it is launched. We have many security reviews each quarter; it is best to file a security review request at the beginning of your project.

What happens during the security review?

The Infrastructure Security team will review the finished code and running stage instance of the web application to identify security vulnerabilities that could place Mozilla systems or our users at risk. The best way to prepare your application is to review the Mozilla Secure Coding Guidelines and design the application with these principals in mind. Don't hesitate to ask us questions during any point of code development. You can reach our team at infrasec@mozilla.com

Infrasec Security Review Request

1. File a new bug within Bugzilla for the request.
2. Block an existing deployment request bug with the infrasec review bug.
   
3. Assign the bug to Product: Mozilla.org and Component: Infrastructure Security: Web Security.
   
   Here is a direct bugzilla link <- IMPORTANT: Please use this url. It populates important data into the bug for tracking purposes. Without this data the request will get lost in bugzilla.
   
   
4. Make sure to copy mcoates <at> mozilla.com
5. Within the request, please answer the questions below

Questions to Address within Request Body

Please copy these questions into the bug and answer inline.

1. A quick intro to what this app does.
2. Where is the source code located?
3. Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.
4. Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.
5. Will this application be collecting any personally identifiable information from users (email address, physical address, phone number, etc)?
6. Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.
7. Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.
   • Please create 2 accounts for each role supported in the application and add the username and password into the security review request bug. Without this information we can't begin our review.
8. What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)
9. Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed?
10. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
    

Additional Comments

• Once the review is started it takes 1-2 weeks to complete
• Critical reviews can be expedited. Please contact us directly as soon as possible
• Using standard frameworks such as django will decrease the security review time
• Also reference the secure coding guidelines to self evaluate and eliminate security issues prior to the security review

Whiteboard Tags for Security Reviews

These are the work flow tags for the web security review process.

Status Tags

• [pending secreview] - pending to be reviewed
• [in-progress secreview] - it is currently being worked on
• [completed secreview] - review completed

Waiting on tags

• [waiting on code complete] - waiting for the code to be completed
• [waiting on infra setup] - waiting on infrastructure to be setup