|
|
| Line 1: |
Line 1: |
| = Firefox Services & Operations Security = | | = Firefox Operations Security = |
| The FoxSec team is tasked with securing core Firefox services operated by the Firefox Services Engineering and Operations organization at Mozilla.
| | Firefox Operations Security protects the core services and release engineering infrastructures Mozilla relies on to build, ship and run Firefox. |
|
| |
|
| [[File:Foxsec1024.png|400px|right]] | | [[File:Secops1024.png|400px|right]] |
|
| |
|
| == Contact == | | == Contact == |
| Email us at foxsec@mozilla.com. | | Email us at secops@mozilla.com. |
|
| |
|
| To report a security issue on a given site, use the bug bounty form [https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/ as explained here]. | | To report a security issue on a given site, use the bug bounty form [https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/ as explained here]. |
|
| |
|
| __TOC__ | | __TOC__ |
|
| |
| == Backlog ==
| |
|
| |
| The table below summarizes the open issues assigned to the FoxSec team, sorted by area of focus.
| |
|
| |
| === Operational Security ===
| |
| === Operational Security ===
| |
| {| class="wikitable"
| |
| |- style="vertical-align:bottom;"
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Continuous Testing (TDS)
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Fraud Detection
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| User management
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Infra Hardening
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Threat monitoring
| |
| |-
| |
| | style="background-color: #ffd351;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.1+TDS" <span style="color:black;">'''3 MEDIUM'''<br />'''5 LOW'''<br /></span>]
| |
| | style="background-color: #d04437;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.2+fraud+detection" <span style="color:white;">'''2 HIGH'''<br />'''2 MEDIUM'''<br />'''3 LOW'''<br /></span>]
| |
| | style="background-color: #ffd351;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.3+identity+management" <span style="color:black;">'''1 HIGH'''<br />'''1 MEDIUM'''<br /></span>]
| |
| | style="background-color: #d04437;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"1.4+infra+hardening" <span style="color:white;">'''4 MEDIUM'''<br />'''5 LOW'''<br /></span>]
| |
| | style="background-color: #cccccc;"|no pending task
| |
| |}
| |
|
| |
| === Application Security ===
| |
| {| class="wikitable"
| |
| |- style="vertical-align:bottom;"
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Risk & Security reviews
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Test & Implement Baseline Security
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Data & Code Signing
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Training & Communication
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| Bug Bounty
| |
| ! style="height:100px; width:200px; text-align:center;" |
| |
| External audits
| |
| |-
| |
| | style="background-color: #d04437;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.1+risk+assessment" <span style="color:white;">'''2 HIGH'''<br />'''4 MEDIUM'''<br />'''3 LOW'''<br /></span>]
| |
| | style="background-color: #d04437;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.2+appsec+baseline" <span style="color:white;">'''2 HIGH'''<br />'''10 MEDIUM'''<br />'''7 LOW'''<br /></span>]
| |
| | style="background-color: #ffd351;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.1+signature" <span style="color:black;">'''1 HIGH'''<br />'''1 MEDIUM'''<br />'''1 LOW'''<br /></span>]
| |
| | style="background-color: #ffd351;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.3+security+communication" <span style="color:black;">'''1 MEDIUM'''<br />'''6 LOW'''<br /></span>]
| |
| | style="background-color: #4a6785;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"2.4+bug+bounty" <span style="color:white;">'''2 LOW'''<br /></span>]
| |
| | style="background-color: #ffd351;"|
| |
| [https://github.com/mozilla-services/foxsec/issues?q=is%3Aopen+is%3Aissue+label%3A"3.3+external+audits" <span style="color:black;">'''1 HIGH'''<br />'''1 MEDIUM'''<br /></span>]
| |
| |}
| |
|
| |
|
| == Strategy == | | == Strategy == |
| Line 87: |
Line 27: |
| * Admin panels should rely on Mozilla's Identity Management platform provided by IT | | * Admin panels should rely on Mozilla's Identity Management platform provided by IT |
| * Third-party services (datadog, pagerduty, aws) should have automated user management (userplex). | | * Third-party services (datadog, pagerduty, aws) should have automated user management (userplex). |
| foxsec need to facilitate integration with Mozilla's IAM with standard libraries and tools.
| | secops need to facilitate integration with Mozilla's IAM with standard libraries and tools. |
|
| |
|
| ==== 1.4 Harden the infrastructure ==== | | ==== 1.4 Harden the infrastructure ==== |
| Line 100: |
Line 40: |
|
| |
|
| ==== 2.1 Help new projects identify threats and controls (RRA, threat models,...) ==== | | ==== 2.1 Help new projects identify threats and controls (RRA, threat models,...) ==== |
| Risk assessment and threat modeling help people think through failure scenarios they wouldn’t evaluate otherwise. RRAs often leads to architectural changes that are best identified early. Each new project must undergo a 30/60min RRA with one of the member of foxsec to assess the security posture of the project. | | Risk assessment and threat modeling help people think through failure scenarios they wouldn’t evaluate otherwise. RRAs often leads to architectural changes that are best identified early. Each new project must undergo a 30/60min RRA with one of the member of secops to assess the security posture of the project. |
|
| |
|
| ==== 2.2 Implement baseline services security standards ==== | | ==== 2.2 Implement baseline services security standards ==== |
| Content Security Policy (CSP), HSTS, HPKP, data signature and encryption, input validation, XSS and SQLi protection are part of techniques developers should care about when building new services. foxsec defines services security standards that devs can implement and foxsec tests in TDS. | | Content Security Policy (CSP), HSTS, HPKP, data signature and encryption, input validation, XSS and SQLi protection are part of techniques developers should care about when building new services. secops defines services security standards that devs can implement and tests in TDS. |
|
| |
|
| ==== 2.3 Communicate security effectively throughout the organization ==== | | ==== 2.3 Communicate security effectively throughout the organization ==== |
| Teams need a channel to ask security questions, discuss concerns and share techniques. FoxSec must organize information flow and broadcast to developers, ops and managers. This includes general security best practices, analyzis and actions to take on CVE vulnerabilities, response and communication on incidents. | | Teams need a channel to ask security questions, discuss concerns and share techniques. secops must organize information flow and broadcast to developers, ops and managers. This includes general security best practices, analyzis and actions to take on CVE vulnerabilities, response and communication on incidents. |
|
| |
|
| ==== 2.4 Use Mozilla’s bug bounty program ==== | | ==== 2.4 Use Mozilla’s bug bounty program ==== |
| Line 114: |
Line 54: |
|
| |
|
| ==== 3.1 Sign data that changes the configuration of user agents ==== | | ==== 3.1 Sign data that changes the configuration of user agents ==== |
| We iterate fast, and eventually someone, either us or a partner, is bound to make a mistake and open a door that could put our users at risk. Signing the data we send to our users helps cover that risk. Digital signature for Firefox is a complex topic - not every project can implement it independently - so foxsec must provide the tooling and services to facilitate signing ([autograph](https://github.com/mozilla-services/autograph)) | | We iterate fast, and eventually someone, either us or a partner, is bound to make a mistake and open a door that could put our users at risk. Signing the data we send to our users helps cover that risk. Digital signature for Firefox is a complex topic - not every project can implement it independently - so secops must provide the tooling and services to facilitate signing ([autograph](https://github.com/mozilla-services/autograph)) |
|
| |
|
| ==== 3.2 Monitor our ecosystem for external threats ==== | | ==== 3.2 Monitor our ecosystem for external threats ==== |
| Line 163: |
Line 103: |
| * [ ] a report-uri pointing to the service's own `/__cspreport__` endpoint | | * [ ] a report-uri pointing to the service's own `/__cspreport__` endpoint |
| * [ ] web APIs should set `default-src` to `none`, disallowing all content rendering | | * [ ] web APIs should set `default-src` to `none`, disallowing all content rendering |
| * [ ] if default-src is not `self`, frame-src should be `none` or only allow specific origins | | * [ ] if default-src is not `self`, frame-src and object-src should be `none` or only allow specific origins |
| * [ ] no use of unsafe-inline or unsafe-eval | | * [ ] no use of unsafe-inline or unsafe-eval |
| * [ ] User data must be escaped for the right context prior to reflecting it (**APP-ESCAPE**) | | * [ ] User data must be escaped for the right context prior to reflecting it (**APP-ESCAPE**) |
| Line 172: |
Line 112: |
| * [ ] Set the Secure and HTTPOnly flags on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration (**APP-SECCOOKIE**) | | * [ ] Set the Secure and HTTPOnly flags on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration (**APP-SECCOOKIE**) |
| * Keep 3rd-party libraries up to date (**APP-DEPS**) | | * Keep 3rd-party libraries up to date (**APP-DEPS**) |
| * [ ] Use [NSP](https://nodesecurity.io/) or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications | | * [ ] Use [NSP](https://nodesecurity.io/) or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications |
| * [ ] Use pip --outdated or [requires.io](https://requires.io/) for Python applications | | * [ ] For Python applications, enable pyup security updates: |
| | * Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml) |
| | * Add https://github.com/mozsvcpyup as a collaborator to your repo |
| | * Notify secops@mozilla.com to enable the integration in pyup |
| | * Consider using pip --outdated or [requires.io](https://requires.io/) too |
| * [ ] If handling cryptographic keys, must have a mechanism to handle quarterly key rotations (**APP-KEYROT**) | | * [ ] If handling cryptographic keys, must have a mechanism to handle quarterly key rotations (**APP-KEYROT**) |
| * Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable in case of emergency. | | * Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable in case of emergency. |
| * [ ] Applications must use accounts with limited GRANTS when connecting to databases (**APP-DBPRIV**) | | * [ ] Applications must use accounts with limited GRANTS when connecting to databases (**APP-DBPRIV**) |
| * In particular, applications **must not use admin or owner accounts**, to decrease the impact of a sql injection vulnerability. | | * In particular, applications **must not use admin or owner accounts**, to decrease the impact of a sql injection vulnerability. |
| | * [ ] fork, exec, subprocess, child_process, etc. calls passing user input to a binary should be [sandboxed](https://github.com/mozilla-services/foxsec/blob/master/docs/sandbox.md) |
|
| |
|
| ### Additional websites requirements
| |
|
| |
| The following coding rules only apply to websites, not web apis.
| |
|
| |
| * [ ] Never store passwords, use Firefox Accounts (**APP-IDP**)
| |
| * [ ] Forbid Mixed content, always use HTTPS (**APP-MIXCONTENT**)
| |
| * [ ] Must have CSRF tokens and manually excluded specific forms (**APP-CSRF**)
| |
| * [ ] Should consider having checksums for 3rd-party content via SRI (**APP-SRI**).
| |
| * Trusted 3rd parties, like Google Analytics, don't need SRI. Use your best judgment to decide if a 3rd party script is trustworthy (and assume it is not).
| |
| * Set the following security headers (**APP-HEADERS**)
| |
| * [ ] X-Content-Type-Options
| |
| * [ ] X-Frame-Options
| |
| * [ ] X-XSS-Protection
| |
| * [ ] Host user uploaded content on a separate domain (e.g. FxA avatar images on firefoxcontent.com, bug attachments on bug<bug ID>.bmoattachments.org)
| |
| * [ ] Forbid the use of third party resources (GA, optimizely, ...) on sites that have privileges permissions in Firefox (AMO, testpilot)
| |
|
| |
| Data rules
| |
| ----------
| |
|
| |
| * When storing sensitive user data (like browsing history) on Mozilla servers:
| |
| * [ ] Anonymize it (similar to Tiles) (**DATA-ANON**)
| |
| * [ ] Encrypt it client-side (similar to Sync) (**DATA-CRYPT**)
| |
| * [ ] If user data must be stored non-anonymized and in clear text, you must talk to the security and legal teams about it.
| |
| * If the service pushes data to Firefox, like when distributing blacklists or pushing updates, cryptographic signatures must be used. (**DATA-SIGN**)
| |
| * [ ] Addons must use standard AMO signing (**APP-SIGNING**)
| |
| * [ ] Code & Conf must use Content-Signature via [Autograph](https://github.com/mozilla-services/autograph) (**DATA-SIGNING**)
| |
|
| |
|
| </source> | | </source> |
|
| |
|
| == Sites and Services == | | == About the logo == |
| | |
| FoxSec is responsible for the security of the following websites and backend services.
| |
| | |
| (note: foxsec is not responsible for the security of implementations in firefox, only of the backend services).
| |
| | |
| === ABSearch ===
| |
| Code: [https://github.com/mozilla-services/absearch absearch]
| |
| | |
| Public Endpoints:
| |
| * search.services.mozilla.com
| |
| | |
| === Addons.mozilla.org ===
| |
| Code:
| |
| * [https://github.com/mozilla/addons-frontend addons-frontend]
| |
| * [https://github.com/mozilla/addons-server/ addons-server]
| |
| * [https://github.com/mozilla/addons-linter addons-linter]
| |
| | |
| Public Endpoints:
| |
| * addon.mozilla.org
| |
| * addons.mozilla.org
| |
| * blocklist.addons.mozilla.org
| |
| * builder.addons.mozilla.org
| |
| * controller-review.apk.firefox.com
| |
| * controller.apk.firefox.com
| |
| * services.addons.mozilla.org
| |
| * static.addons.mozilla.net
| |
| * versioncheck-bg.addons.mozilla.org
| |
| * versioncheck.addons.mozilla.org
| |
| | |
| === Product Delivery ===
| |
| Code: [https://github.com/mozilla-services/go-bouncer go-bouncer]
| |
| | |
| Public Endpoints:
| |
| * download-installer.cdn.mozilla.net
| |
| * download.mozilla.org
| |
| | |
| === AUS/Balrog ===
| |
| Code: [https://github.com/mozilla/balrog/ balrog]
| |
| | |
| Public Endpoints:
| |
| * aus3.mozilla.org
| |
| * aus4.mozilla.org
| |
| * aus5.mozilla.org
| |
| * aus.mozilla.org
| |
| | |
| === Crash reports (Socorro) ===
| |
| Code: https://github.com/mozilla/socorro/
| |
| | |
| Public Endpoints:
| |
| * crash-reports-xpsp2.mozilla.com
| |
| * crash-reports.mozilla.com
| |
| * crash-stats.mozilla.com
| |
| | |
| === Firefox Accounts ===
| |
| Code:
| |
| * [https://github.com/mozilla/fxa fxa]
| |
| * [https://github.com/mozilla/fxa-auth-server fxa-auth-server]
| |
| * [https://github.com/mozilla/fxa-content-server fxa-content-server]
| |
| * [https://github.com/mozilla/fxa-js-client fxa-js-client]
| |
| * [https://github.com/mozilla/fxa-oauth-server fxa-oauth-server]
| |
| * [https://github.com/mozilla/fxa-customs-server/ fxa-customs-server]
| |
| | |
| Public Endpoints:
| |
| * accounts.firefox.com
| |
| * api.accounts.firefox.com
| |
| * oauth.accounts.firefox.com
| |
| * profile.accounts.firefox.com
| |
| * verifier.accounts.firefox.com
| |
| | |
| === Firefox Sync ===
| |
| Code:
| |
| * [https://github.com/mozilla-services/syncserver syncserver]
| |
| * [https://github.com/mozilla-services/tokenserver tokenserver]
| |
| | |
| Public Endpoints:
| |
| * *.$region.sync.services.mozilla.com
| |
| * token.services.mozilla.com
| |
| | |
| === Location (MLS) ===
| |
| Code:
| |
| * [https://github.com/mozilla/ichnaea ichnaea]
| |
| * [https://github.com/mozilla-services/location-leaderboard location-leaderboard]
| |
| | |
| Public Endpoints:
| |
| * location.services.mozilla.com
| |
| * location-leaderboard.services.mozilla.com
| |
| | |
| === Marketplace.firefox.com ===
| |
| Code: [https://github.com/mozilla/zamboni zamboni]
| |
| | |
| Public Endpoints:
| |
| * marketplace.firefox.com
| |
| * receiptcheck.marketplace.firefox.com
| |
| * static.marketplace.firefox.com
| |
| | |
| === Push ===
| |
| Code:
| |
| * [https://github.com/mozilla-services/autopush autopush]
| |
| * [https://github.com/mozilla-services/push-dev-dashboard push-dev-dashboard]
| |
| | |
| Public Endpoints:
| |
| * push.services.mozilla.com
| |
| * updates.push.services.mozilla.com
| |
| | |
| === Firefox Settings (Kinto) ===
| |
| Code: https://github.com/Kinto/kinto
| |
| | |
| Public Endpoints:
| |
| * firefox.settings.services.mozilla.com
| |
| | |
| === Pageshot ===
| |
| Code: https://github.com/mozilla-services/pageshot/
| |
| | |
| Public Endpoints: pageshot.net
| |
| | |
| === Shield / Normandy ===
| |
| Code:
| |
| * [https://github.com/mozilla/normandy normandy]
| |
| | |
| Public Endpoints: self-repair.mozilla.org
| |
| | |
| === Telemetry ===
| |
| Code:
| |
| * [https://github.com/mozilla/telemetry-server telemetry-server] (deprecated moving to [https://github.com/mozilla/telemetry-analysis-service telemetry-analysis-service])
| |
| * [https://github.com/mozilla/telemetry-dashboard/ telemetry-dashboard]
| |
| | |
| Public Endpoints:
| |
| * incoming.telemetry.mozilla.org
| |
| * telemetry-experiment.cdn.mozilla.net
| |
| * analysis.telemetry.mozilla.org
| |
| * sql.telemetry.mozilla.org
| |
| * metrics.services.mozilla.com
| |
| | |
| === Test Pilot ===
| |
| Code: [https://github.com/mozilla/testpilot testpilot]
| |
| | |
| Public Endpoints:
| |
| * http://testpilot.firefox.com/
| |
| | |
| === Tiles/Pingcenter ===
| |
| Code: [https://github.com/mozilla/splice splice]
| |
| | |
| Public Endpoints:
| |
| * tiles.cdn.mozilla.net
| |
| * tiles.services.mozilla.com
| |
| | |
| === TLS Observatory ===
| |
| Code: [https://github.com/mozilla/tls-observatory tls-observatory]
| |
| | |
| Public Endpoints:
| |
| * tls-observatory.services.mozilla.com
| |
| | |
| === Tracking Protection ===
| |
| Code: [https://github.com/mozilla-services/shavar shavar]
| |
|
| |
|
| Public Endpoints:
| | The Firefox Operations Security logo is derived [https://github.com/synthagency/icons-flat-osx/blob/master/SVG/Apps-Firefox.svg from this work by Synth Agency], and published under Creative Commons Attribution-NonCommercial 4.0 International Public License. |
| * shavar.services.mozilla.com
| |
| * tracking.services.mozilla.com
| |