Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Checklist #55

Closed
26 tasks done
jvehent opened this issue Feb 26, 2018 · 11 comments
Closed
26 tasks done

Security Checklist #55

jvehent opened this issue Feb 26, 2018 · 11 comments
Assignees
Labels
in-progress needs-OPS Issues that needs Ops support security
Milestone

Comments

@jvehent
Copy link

jvehent commented Feb 26, 2018

Risk Management

  • The service must have performed a Rapid Risk Assessment and have a Risk Record bug
  • Public staging and production endpoints must be added to the security baseline

Infrastructure

  • Access and application logs must be archived for a minimum of 90 days
  • Use Modern or Intermediate TLS
  • Set HSTS to 31536000 (1 year)
    • strict-transport-security: max-age=31536000
  • [ ] Set HPKP to 5184000 (60 days)
    • Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";
      • Start with max-age set to 5 minutes (max-age=300) and increase progressively
      • The first two pins are for Digicert EV and DV roots, the last two are for Let's Encrypt X3 and X4 intermediates (LE is only used for backup)
    • [ ] If the service is not hosted under services.mozilla.com, it must be manually added to Firefox's preloaded pins.
  • If service has an admin panels, it must:
    • [ ] only be available behind Mozilla VPN (which provides MFA)
    • [ ] require Auth0 authentication

Development

  • Sign all release tags, and ideally commits as well
    • Developers should configure git to sign all tags and upload their PGP fingerprint to https://login.mozilla.com
    • The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code.
  • Keep 3rd-party libraries up to date
  • Integrate static code analysis in CI, and avoid merging code with issues
    • JavaScript applications should use ESLint with the Mozilla ruleset
    • Python applications should use Bandit
    • Go applications should use the Go Meta Linter
    • Use whitelisting mechanisms in these tools to deal with false positives

Dual Sign Off

  • [ ] Services that push data to Firefox clients must require a dual sign off on every change, implemented in their admin panels
    • This mechanism must be reviewed and approved by the Firefox Operations Security team before being enabled in production

Logging

  • Publish detailed logs in mozlog format (APP-MOZLOG)
    • Business logic must be logged with app specific codes (see FxA)
    • [ ] Access control failures must be logged at WARN level

Security Headers

  • Must have a CSP with
    • a report-uri pointing to the service's own /__cspreport__ endpoint
    • web API responses should return default-src 'none'; frame-ancestors 'none'; base-uri 'none'; report-uri /__cspreport__ to disallowing all content rendering, framing, and report violations
    • if default-src is not none, frame-src, and object-src should be none or only allow specific origins
    • no use of unsafe-inline or unsafe-eval in script-src, style-src, and img-src
  • Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s
  • Set the Secure, HTTPOnly, and SameSite flags on Cookies, and use sensible Expiration
  • Make sure your application gets an A+ on the Mozilla Observatory
  • Verify your application doesn't have any failures on the Security Baseline.
    • Contact secops@ or ping 'psiinon' on github to document exceptions to the baseline, mark csrf exempt forms, etc.
      • Note: we have a sticky session cookie AWSELB that is set without secure and httponly flags, but it is low risk.
  • [ ] Web APIs should export an OpenAPI (Swagger) to facilitate automated vulnerability tests

Security Features

  • [ ] Authentication of end-users should be via FxA. Authentication of Mozillians should be via Auth0/SSO. Any exceptions must be approved by the security team.
  • Session Management should be via existing and well regarded frameworks. In all cases you should contact the security team for a design and implementation review
    • Store session keys server side (typically in a db) so that they can be revoked immediately.
    • Session keys must be changed on login to prevent session fixation attacks.
    • Session cookies must have HttpOnly and Secure flags set and the SameSite attribute set to 'strict' or 'lax' (which allows external regular links to login).
    • For more information about potential pitfalls see the OWASP Session Management Cheet Sheet
  • [ ] Access Control should be via existing and well regarded frameworks. If you really do need to roll your own then contact the security team for a design and implementation review.

Databases

  • All SQL queries must be parameterized, not concatenated
  • Applications must use accounts with limited GRANTS when connecting to databases
    • In particular, applications must not use admin or owner accounts, to decrease the impact of a sql injection vulnerability.

Common issues

  • User data must be escaped for the right context prior to reflecting it
    • When inserting user generated html into an html context:
      • Python applications should use Bleach
      • Javascript applications should use DOMPurify
  • Apply sensible limits to user inputs, see input validation
    • POST body size should be small (<500kB) unless explicitely needed
  • [ ] When managing permissions, make sure access controls are enforced server-side
  • [ ] If handling cryptographic keys, must have a mechanism to handle quarterly key rotations
    • Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable in case of emergency.
  • Do not proxy requests from users without strong limitations and filtering (see Pocket UserData vulnerability). Don't proxy requests to link local, loopback, or private networks or DNS that resolves to addresses in those ranges (i.e. 169.254.0.0/16, 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, 198.18.0.0/15).
  • Do not use target="_blank" in external links unless you also use rel="noopener noreferrer" (to prevent Reverse Tabnabbing)
@groovecoder
Copy link
Member

@jvehent - Do we need to add greenkeeper, or are the GitHub Security Alerts for vulnerable dependencies good enough?

@g-k
Copy link

g-k commented May 9, 2018

The github security alerts are good enough.

@pdehaan
Copy link
Collaborator

pdehaan commented May 9, 2018

Semi-related, but we've been starting to use Renovate as an alternative to Greenkeeper in some projects lately, as it allows you to schedule when you want PRs [so your PR queue doesn't get flooded].

You can see a sample config in https://github.com/mozilla/watchdog-proxy/blob/master/renovate.json

@psiinon
Copy link
Contributor

psiinon commented May 30, 2018

Note that in the latest checklist under

Security Features

We've added SameSite cookies:

  • Session cookies must have HttpOnly and Secure flags set and the SameSite attribute set to 'strict' or 'lax' (which allows external regular links to login).

I'd update the first comment but it doesnt look like I have the right perms :)

@groovecoder groovecoder added next and removed backlog labels May 31, 2018
groovecoder added a commit that referenced this issue May 31, 2018
@groovecoder groovecoder self-assigned this May 31, 2018
groovecoder added a commit that referenced this issue Jun 1, 2018
for #55: redirect non-dev environments to https
@groovecoder groovecoder added this to the Shield Study milestone Jun 1, 2018
@psiinon
Copy link
Contributor

psiinon commented Jun 1, 2018

For Info the I've added the service to the daily baseline scan and the results (for those with the relevant perms) are here: https://github.com/mozilla-services/foxsec-results/blob/master/baseline-scan/Firefox-Monitor-Summary.md
Its currently failing on a missing anti CSRF token, which is probably and FP, but its also missing the SameSite flag on the session cookie, which would be really good to add.

@lesleyjanenorton
Copy link
Collaborator

hi @psiinon, can I get credentials to see the daily baseline scan results? thanks!

lesleyjanenorton added a commit that referenced this issue Jun 18, 2018
Work In Progress !

Replaced AllMusic Breach with "Example Breach" and plugged in a placeholder svg and placeholder description. Will probably need to get some great sounding copy / imagery from the UI folks but for now at least All Music is not wrongly implicated.

Restored HIBP_STAGE_API_ROOT as ('https://stage.haveibeenpwned.com/api/v2/'), which is still being used by load-breaches.js. Load-breaches.js fails when run with the new HIPB_API_ROOT ('https://api.haveibeenpwned.com') and am waiting to hear back on the new "/breaches" endpoint.

Added a maxlength attribute to the email input per part of #55
@psiinon
Copy link
Contributor

psiinon commented Jun 19, 2018

Hi @lesleyjanenorton - you should have access to them now.
Let me know if you have any problems or questions.

@groovecoder groovecoder modified the milestones: Shield Study, Staging Quality Assurance Aug 15, 2018
@groovecoder groovecoder added front-end needs-OPS Issues that needs Ops support and removed front-end labels Aug 21, 2018
groovecoder added a commit that referenced this issue Sep 5, 2018
@groovecoder
Copy link
Member

Our latest baseline failures seem to be caused by the AWSELB cookie served with Secure and HttpOnly flags? @psiinon can you help us debug that or let us know if we can ignore those 2 fails?

groovecoder added a commit that referenced this issue Sep 21, 2018
groovecoder added a commit that referenced this issue Sep 21, 2018
groovecoder added a commit that referenced this issue Sep 21, 2018
groovecoder added a commit that referenced this issue Sep 21, 2018
for #55: convert console to mozlog
@groovecoder
Copy link
Member

@jvehent @psiinon - I have not started the process to add firefox.monitor.com to Firefox pre-loaded HPKP pins. I'm too afraid of HPKP suicide to start or rush it now. Is it okay to do that later?

@g-k
Copy link

g-k commented Sep 21, 2018

@groovecoder if you're talking about the HPKP header, we dropped the recommendation for that from the checklist https://github.com/mozilla-services/foxsec/commit/12faf78319c2cd63161a973b45333b9eefb7ba22 (the wiki might not have been up to date when this bug was created)

Also, re: updating the baseline config for AWS LB cookies, Simon is on PTO and will be back next Wednesday.

@groovecoder
Copy link
Member

Verified with ops that we're keeping logs for 90 days. Filed #464 for adding app-specific log codes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in-progress needs-OPS Issues that needs Ops support security
Projects
None yet
Development

No branches or pull requests

6 participants