Confirmed users
529
edits
Security/FirefoxOperations: Difference between revisions
no edit summary
(update to 2018-10-02 revision (c81c8d4c309f734f2ecd0f236f4d94ee84aac0aa)) |
No edit summary |
||
| Line 95: | Line 95: | ||
* The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code. | * The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code. | ||
* [ ] enable security scanning of 3rd-party libraries and dependencies | * [ ] enable security scanning of 3rd-party libraries and dependencies | ||
* For node.js, use [`npm audit`](https://docs.npmjs.com/cli/audit) with [audit-filter](https://github.com/mozilla-services/audit-filter) to handle | * For node.js, use [`npm audit`](https://docs.npmjs.com/cli/audit) with [audit-filter](https://github.com/mozilla-services/audit-filter) to review and handle exceptions (see example in [speech-proxy](https://github.com/mozilla/speech-proxy/pull/77/files#diff-b9cfc7f2cdf78a7f4b91a753d10865a2)) | ||
* For Python, enable pyup security updates: | * For Python, enable pyup security updates: | ||
* Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml) | * Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml) | ||
| Line 104: | Line 104: | ||
* notify secops@mozilla.com to enable the integration in pyup | * notify secops@mozilla.com to enable the integration in pyup | ||
* [ ] Keep 3rd-party libraries up to date (in addition to the security updates) | * [ ] Keep 3rd-party libraries up to date (in addition to the security updates) | ||
* For NodeJS applications, use [renovate](https://renovateapp.com/) or [GreenKeeper](https://greenkeeper.io/) | * For NodeJS applications, use [dependabot](https://dependabot.com/), [renovate](https://renovateapp.com/), or [GreenKeeper](https://greenkeeper.io/) | ||
* For Python, use ``pip list --outdated`` or [requires.io](https://requires.io/) or pyup outdated checks | * For Python, use ``pip list --outdated`` or [requires.io](https://requires.io/) or pyup outdated checks | ||
* For Rust, use `cargo update` and [cargo upgrade](https://github.com/killercup/cargo-edit#cargo-upgrade) when changing versions | * For Rust, use `cargo update` and [cargo upgrade](https://github.com/killercup/cargo-edit#cargo-upgrade) when changing versions | ||