-
Notifications
You must be signed in to change notification settings - Fork 221
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Checklist #55
Comments
@jvehent - Do we need to add greenkeeper, or are the GitHub Security Alerts for vulnerable dependencies good enough? |
The github security alerts are good enough. |
Semi-related, but we've been starting to use Renovate as an alternative to Greenkeeper in some projects lately, as it allows you to schedule when you want PRs [so your PR queue doesn't get flooded]. You can see a sample config in https://github.com/mozilla/watchdog-proxy/blob/master/renovate.json |
Note that in the latest checklist under Security FeaturesWe've added SameSite cookies:
I'd update the first comment but it doesnt look like I have the right perms :) |
for #55: redirect non-dev environments to https
For Info the I've added the service to the daily baseline scan and the results (for those with the relevant perms) are here: https://github.com/mozilla-services/foxsec-results/blob/master/baseline-scan/Firefox-Monitor-Summary.md |
hi @psiinon, can I get credentials to see the daily baseline scan results? thanks! |
Work In Progress ! Replaced AllMusic Breach with "Example Breach" and plugged in a placeholder svg and placeholder description. Will probably need to get some great sounding copy / imagery from the UI folks but for now at least All Music is not wrongly implicated. Restored HIBP_STAGE_API_ROOT as ('https://stage.haveibeenpwned.com/api/v2/'), which is still being used by load-breaches.js. Load-breaches.js fails when run with the new HIPB_API_ROOT ('https://api.haveibeenpwned.com') and am waiting to hear back on the new "/breaches" endpoint. Added a maxlength attribute to the email input per part of #55
Hi @lesleyjanenorton - you should have access to them now. |
for #55: add SameSite flag to cookies
Our latest baseline failures seem to be caused by the |
for #55: convert console to mozlog
@groovecoder if you're talking about the HPKP header, we dropped the recommendation for that from the checklist https://github.com/mozilla-services/foxsec/commit/12faf78319c2cd63161a973b45333b9eefb7ba22 (the wiki might not have been up to date when this bug was created) Also, re: updating the baseline config for AWS LB cookies, Simon is on PTO and will be back next Wednesday. |
Verified with ops that we're keeping logs for 90 days. Filed #464 for adding app-specific log codes. |
Risk Management
Infrastructure
strict-transport-security: max-age=31536000
[ ] Set HPKP to 5184000 (60 days)Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";
Start with max-age set to 5 minutes (max-age=300
) and increase progressivelyThe first two pins are for Digicert EV and DV roots, the last two are for Let's Encrypt X3 and X4 intermediates (LE is only used for backup)[ ] If the service is not hosted underservices.mozilla.com
, it must be manually added to Firefox's preloaded pins.If service has an admin panels, it must:[ ] only be available behind Mozilla VPN (which provides MFA)[ ] require Auth0 authenticationDevelopment
For Python applications, enable pyup security updates:Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml)From the "add a team" dropdown for your repo add the relevant "Approved Mozilla PyUp Configuration" team for your github org (e.g. for mozilla and mozilla-services) and grant it write permission.Notify secops@mozilla.com to enable the integration in pyupConsider usingpip list --outdated
or requires.io tooPython applications should use BanditGo applications should use the Go Meta LinterDual Sign Off
[ ] Services that push data to Firefox clients must require a dual sign off on every change, implemented in their admin panelsThis mechanism must be reviewed and approved by the Firefox Operations Security team before being enabled in productionLogging
[ ] Access control failures must be logged at WARN levelSecurity Headers
/__cspreport__
endpointdefault-src 'none'; frame-ancestors 'none'; base-uri 'none'; report-uri /__cspreport__
to disallowing all content rendering, framing, and report violationsnone
, frame-src, and object-src should benone
or only allow specific originsAWSELB
that is set without secure and httponly flags, but it is low risk.[ ] Web APIs should export an OpenAPI (Swagger) to facilitate automated vulnerability testsSecurity Features
[ ] Authentication of end-users should be via FxA. Authentication of Mozillians should be via Auth0/SSO. Any exceptions must be approved by the security team.[ ] Access Control should be via existing and well regarded frameworks. If you really do need to roll your own then contact the security team for a design and implementation review.Databases
Common issues
Python applications should use Bleach[ ] When managing permissions, make sure access controls are enforced server-side[ ] If handling cryptographic keys, must have a mechanism to handle quarterly key rotationstarget="_blank"
in external links unless you also userel="noopener noreferrer"
(to prevent Reverse Tabnabbing)The text was updated successfully, but these errors were encountered: