Security/FirefoxOperations: Difference between revisions
< Security
Jump to navigation
Jump to search
m (Fixed typo in my name ;)) |
|||
| (71 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
= | = Firefox Operations Security = | ||
Firefox Operations Security is responsible for application & operations security for internal & external services and websites in the Firefox organization that host sensitive data or provide a mission critical service. | |||
[[File:Secops1024.png|400px|right]] | |||
== Contact == | == Contact == | ||
Email us at secops@mozilla.com. | |||
To report a security issue on a given site, use the bug bounty form [https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/ as explained here]. | |||
To tell us about a new service create a [https://github.com/mozilla-services/foxsec/issues/new?template=NewService.md&labels=New%20Service&assignee=psiinon&title=New%20Service:%20 New Service issue]. | |||
__TOC__ | |||
== Product Lines == | |||
( | * Firefox Accounts | ||
* Addons.mozilla.org | |||
* Browser services (sync, push, normandy, remote settings, balrog, product delivery, etc.) | |||
* Data services (telemetry, pioneer, taar, prio, etc.) | |||
* Web presence of Premium services (FxSend, FxMonitor, FPN website, etc.) | |||
* Release Engineering (taskcluster, shipit, *.build.m.o, build infra, etc.) | |||
* Developer Services (phabricator, lando, bugzilla, sentry, crash reports, etc.) | |||
=== | == Scope == | ||
=== | === Application security === | ||
Responsibility for internal & external services and websites in the Firefox organization that host sensitive data or provide a mission critical service. | |||
* Risk assessments | |||
* Security Reviews | |||
* Manual and automated testing | |||
* Review risks w/ product owners | |||
* Security incident management | |||
The application security group also owns cryptographic services (autograph, tls canary, tls observatory, etc) and appsec tooling (zap, dependency observatory, etc.). | |||
=== | === Operations security === | ||
Responsibility for infrastructure and hosting of Firefox services. | |||
* Covers the security of AWS and GCP infrastructure, and datacenters for the build infra | |||
* Security operations consulting for the Firefox organization at large | |||
The operations security group also owns the fraud pipeline (foxsec-pipeline) and secops tooling (frost, sops, etc.). | |||
=== | === Risk Management === | ||
Responsibility for maintaining visibility into the security posture of the Firefox infrastructure. | |||
* Rapid Risk Assessments framework & associated tooling | |||
* Security posture reports & leadership reporting | |||
=== | == Security Checklist == | ||
This has moved to https://github.com/mozilla-services/websec-check | |||
== | == About the logo == | ||
The Firefox Operations Security logo is derived [https://github.com/synthagency/icons-flat-osx/blob/master/SVG/Apps-Firefox.svg from this work by Synth Agency], and published under Creative Commons Attribution-NonCommercial 4.0 International Public License. | |||
Latest revision as of 09:15, 22 January 2020
Firefox Operations Security
Firefox Operations Security is responsible for application & operations security for internal & external services and websites in the Firefox organization that host sensitive data or provide a mission critical service.
Contact
Email us at secops@mozilla.com.
To report a security issue on a given site, use the bug bounty form as explained here.
To tell us about a new service create a New Service issue.
Product Lines
- Firefox Accounts
- Addons.mozilla.org
- Browser services (sync, push, normandy, remote settings, balrog, product delivery, etc.)
- Data services (telemetry, pioneer, taar, prio, etc.)
- Web presence of Premium services (FxSend, FxMonitor, FPN website, etc.)
- Release Engineering (taskcluster, shipit, *.build.m.o, build infra, etc.)
- Developer Services (phabricator, lando, bugzilla, sentry, crash reports, etc.)
Scope
Application security
Responsibility for internal & external services and websites in the Firefox organization that host sensitive data or provide a mission critical service.
- Risk assessments
- Security Reviews
- Manual and automated testing
- Review risks w/ product owners
- Security incident management
The application security group also owns cryptographic services (autograph, tls canary, tls observatory, etc) and appsec tooling (zap, dependency observatory, etc.).
Operations security
Responsibility for infrastructure and hosting of Firefox services.
- Covers the security of AWS and GCP infrastructure, and datacenters for the build infra
- Security operations consulting for the Firefox organization at large
The operations security group also owns the fraud pipeline (foxsec-pipeline) and secops tooling (frost, sops, etc.).
Risk Management
Responsibility for maintaining visibility into the security posture of the Firefox infrastructure.
- Rapid Risk Assessments framework & associated tooling
- Security posture reports & leadership reporting
Security Checklist
This has moved to https://github.com/mozilla-services/websec-check
About the logo
The Firefox Operations Security logo is derived from this work by Synth Agency, and published under Creative Commons Attribution-NonCommercial 4.0 International Public License.
