[tracker] Security checklist

[jvehent]

Risk Management

• The service must have performed a Rapid Risk Assessment and have a Risk Record bug (SVC-RRA).

Infrastructure rules

• Use Intermediate TLS (INFRA-TLS)
• Set HSTS to 31536000 (1 year) (INFRA-HSTS)
• Set HPKP to 5184000 (60 days) (INFRA-HPKP)
  • Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";
    • Start with max-age set to 5 minutes and increase gradually
    • Pin to the EV and DV roots of Digicert
  • If the service is not hosted under services.mozilla.com, it must be manually added to Firefox's preloaded pins.
• If service has an admin panels, it must:
  • only be available behind Mozilla VPN (which provides MFA) (INFRA-ADMINVPN)
  • require LDAP authentication (INFRA-ADMINLDAP)
  • enforce a two-man rule on sensitive changes (INFRA-2MANRULE)

Coding rules

The following rules apply to all web applications: api and websites.

• Sign all commits (APP-COMMITSIG)
  • Developers should configure git to sign all commits and upload their PGP fingerprint to https://login.mozilla.com
• Detailed logging in mozlog format (APP-MOZLOG)
  • Business logic must be logged with app specific codes (errno)
  • Access control failures must be logged at WARN level
• All SQL queries must be parameterized, not concatenated (APP-SQL)
• User data must be escaped for the right context prior to reflecting it (APP-ESCAPE)
• Apply sensible limits to user inputs, see input validation (APP-INPUTVAL)
• Enforce Access Controls server-side (APP-ACL)
• Set the Secure flag on Cookies, and use sensible Expiration and HTTPOnly (APP-SECCOOKIE)
• Keep 3rd-party libraries up to date (APP-DEPS)
  • Use NSP or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications
  • Use pip --outdated or requires.io for Python applications
• If handling cryptographic keys, must have a mechanism to handle monthly key rotations (APP-KEYROT)
  • All keys must be rotated quarterly.
  • Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable during.

Additional websites requirements

The following coding rules only apply to websites, not web apis.

• Never store passwords, use Firefox Accounts (APP-IDP)
• Forbid Mixed content, always use HTTPS (APP-MIXCONTENT)
• Must have a CSP with (APP-CSP)
  • a report-uri pointing to the service's own /__cspreport__ endpoint
  • if default-src is not self, child-src should be none or only allow specific origins
  • no use of unsafe-inline or unsafe-eval
• Must have CSRF tokens and manually excluded specific forms (APP-CSRF)
• Should consider having checksums for 3rd-party content via SRI (APP-SRI).
  • Trusted 3rd parties, like Google Analytics, don't need SRI. Use your best judgment to decide if a 3rd party script is trustworthy (and assume it is not).
• Consider Security headers as appropriate (APP-HEADERS)
  • X-Content-Type-Options
  • X-Frame-Options
  • X-XSS-Protection

Data rules

• When storing sensitive user data (like browsing history) on Mozilla servers:
  • Anonymize it (similar to Tiles) (DATA-ANON)
  • Encrypt it client-side (similar to Sync) (DATA-CRYPT)
  • If user data must be stored non-anonymized and in clear text, you must talk to the security and legal teams about it.
• If the service pushes data to Firefox, like when distributing blacklists or pushing updates, cryptographic signatures must be used. (DATA-SIGN)
  • Addons must use standard AMO signing (APP-SIGNING)
  • Code & Conf must use Content-Signature via Autograph (DATA-SIGNING)

[rugk]

If user data must be stored non-anonymized and in clear text,

So is this actually the case?

BTW: Is this already deployed or still work in progress?

[mythmon]

We don't currently store any user data. I was told that items that don't apply should be checked off.

Normandy is currently deployed at (among other places) https://self-repair.mozilla.org and https://normandy-admin.prod.mozaws.net (VPN required).

[Osmose]

All the items in this checklist are in-progress or not relevant. There's two items from the list that have separate issues filed:

• LDAP Auth: Use LDAP authentication #526
• Two-man rule for sensitive changes: Peer review #287

Given that Github is awful for representing the relationship between issues, I think we can call this issue closed and track the remaining work in those two issues.

[jvehent]

Awesome! Thanks a lot for going through it.