RRA checklist

[mjzffr]

Possibly relevant subset of https://wiki.mozilla.org/Security/FirefoxOperations#Security_Checklist

Infrastructure

• [x] Access and application logs must be archived for a minimum of 90 days

• (n/a) If service has an admin panels, it must:

  • only be available behind Mozilla VPN (which provides MFA)
  • require Auth0 authentication

Development

• [ ] Sign all release tags, and ideally commits as well
  • Developers should configure git to sign all tags and upload their PGP fingerprint to https://login.mozilla.com
  • The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code.
• [x] Keep 3rd-party libraries up to date
  • For Python applications, enable pyup security updates:
  • Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml)
  • From the "add a team" dropdown for your repo add the relevant "Approved Mozilla PyUp Configuration" team for your github org (e.g. for mozilla and mozilla-services) and grant it write permission.
  • Notify secops@mozilla.com to enable the integration in pyup
  • Consider using pip list --outdated or requires.io too
• [x] Integrate static code analysis in CI, and avoid merging code with issues
  • Python applications should use Bandit
  • Use whitelisting mechanisms in these tools to deal with false positives

Logging

• [ ] Publish detailed logs in mozlog format (APP-MOZLOG)
  • Business logic must be logged with app specific codes (see FxA)
  • Access control failures must be logged at WARN level

[hwine]

Publish detailed logs in mozlog format (APP-MOZLOG)

We're in the middle of discussing relaxing the spec to allow nested dictionaries/objects -- holler if that is helpful for you. (i.e. don't force stuff to strings)

[jgraham]

I can/have set up the mozlog format logs (that term is very overloaded btw), but per the discussion with cloud services we aren't integrating with their monitoring infrastructure, so I don't think it's that valuable (in practice I think we are going to look at setting up the same stack that treeherder has for logging with new relic and papertrail).

[hwine]

That's fine on the app level logs -- as long as they are retained for a minimum of 90 days, it can be a check.

And yes, 'mozlog' is almost meaningless these days.

[mjzffr]

@hwine We've completed the initial items that James and I planned to address as a start. We'd like to address the remaining unchecked items after our first trial period in production, once the project is undergoing fewer changes.

[hwine]

@mjzffr sounds good to me

[mjzffr]

Moved to github.com/mozilla/wpt-sync