Security Checklist

@leplatrem

@leplatrem we can split this into smaller issues if you want to do that instead.

Also, a bunch of these probably won't apply and I'll handle some of them (e.g. the Risk Management and Infrastructure sections), but I wanted to start thinking about these.

Risk Management

The service must have performed a Rapid Risk Assessment and have a Risk Record bug
Public staging and production endpoints must be added to the security baseline

Infrastructure

Access and application logs must be archived for a minimum of 90 days
Use Modern or Intermediate TLS
Set HSTS to 31536000 (1 year)
- strict-transport-security: max-age=31536000
- If the service is not hosted under services.mozilla.com, it must be manually added to Firefox's preloaded pins.
If service has an admin panels, it must:
- only be available behind Mozilla VPN (which provides MFA)
- require Auth0 authentication

Development

Ensure your code repository is configured and located appropriately:
- Only designated people should be allowed to push to production branches. (GitHub protected branches.)
- Host your repository in a trusted organization (one that follows EIS Recommendations). A list is maintained here.
Sign all release tags, and ideally commits as well
- Developers should configure git to sign all tags and upload their PGP fingerprint to https://login.mozilla.com
- The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code.
Keep 3rd-party libraries up to date
- Use NSP or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications
- For Python applications, enable pyup security updates:
  - Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml)
  - From the "add a team" dropdown for your repo add the relevant "Approved Mozilla PyUp Configuration" team for your github org (e.g. for mozilla and mozilla-services) and grant it write permission.
  - Notify secops@mozilla.com to enable the integration in pyup
  - Consider using pip list --outdated or requires.io too
Integrate static code analysis in CI, and avoid merging code with issues
- Javascript applications should use ESLint with the Mozilla ruleset
- Python applications should use Bandit
- Go applications should use the Go Meta Linter 7333
- Use whitelisting mechanisms in these tools to deal with false positives

Dual Sign Off

Services that push data to Firefox clients must require a dual sign off on every change, implemented in their admin panels
- This mechanism must be reviewed and approved by the Firefox Operations Security team before being enabled in production

Logging

Publish detailed logs in mozlog format (APP-MOZLOG)
- Business logic must be logged with app specific codes (see FxA)
- Access control failures must be logged at WARN level

Security Headers

Security Features

Authentication of end-users should be via FxA. Authentication of Mozillians should be via Auth0/SSO. Any exceptions must be approved by the security team.
Session Management should be via existing and well regarded frameworks. In all cases you should contact the security team for a design and implementation review
- Store session keys server side (typically in a db) so that they can be revoked immediately.
- Session keys must be changed on login to prevent session fixation attacks.
- Session cookies must have HttpOnly and Secure flags set.
- For more information about potential pitfalls see the OWASP Session Management Cheet Sheet
Access Control should be via existing and well regarded frameworks. If you really do need to roll your own then contact the security team for a design and implementation review.

Databases

All SQL queries must be parameterized, not concatenated
Applications must use accounts with limited GRANTS when connecting to databases
- In particular, applications must not use admin or owner accounts, to decrease the impact of a sql injection vulnerability.

Common issues

User data must be escaped for the right context prior to reflecting it
- When inserting user generated html into an html context:
  - Python applications should use Bleach
  - Javascript applications should use DOMPurify
Apply sensible limits to user inputs, see input validation
- POST body size should be small (<500kB) unless explicitely needed
When managing permissions, make sure access controls are enforced server-side
If handling cryptographic keys, must have a mechanism to handle quarterly key rotations
- Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable in case of emergency.
Do not proxy requests from users without strong limitations and filtering (see Pocket UserData vulnerability). Don't proxy requests to link local, loopback, or private networks or DNS that resolves to addresses in those ranges (i.e. 169.254.0.0/16, 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, 198.18.0.0/15).
Do not use target="_blank" in external links unless you also use rel="noopener noreferrer" (to prevent Reverse Tabnabbing)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Risk Management

Infrastructure

Development

Dual Sign Off

Logging

Security Headers

Security Features

Databases

Common issues

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Description

Risk Management

Infrastructure

Development

Dual Sign Off

Logging

Security Headers

Security Features

Databases

Common issues

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions