Security Checklist

[jvehent]

Risk Management

• [x] The service must have performed a Rapid Risk Assessment and have a Risk Record bug (SVC-RRA).

Infrastructure rules

• [x] Access and application logs must be archived for a minimum of 90 days
• [x] Use Modern or Intermediate TLS (INFRA-TLS)
• [x] Set HSTS to 31536000 (1 year) (INFRA-HSTS)
  • strict-transport-security: max-age=31536000
• [x] Set HPKP to 5184000 (60 days) (INFRA-HPKP)
  • Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";
  • Start with max-age set to 5 minutes (max-age=300) and increase progressively
  • The first two pins are for Digicert EV and DV roots, the last two are for Let's Encrypt X3 and X4 intermediates (LE is only used for backup)
  • [x] If the service is not hosted under services.mozilla.com, it must be manually added to Firefox's preloaded pins.
• If service has an admin panels, it must:
  • [x] only be available behind Mozilla VPN (which provides MFA) (INFRA-ADMINVPN)
  • [x] require LDAP authentication (INFRA-ADMINLDAP)
  • [x] enforce a two-man rule on sensitive changes (INFRA-2MANRULE)

Coding rules

The following rules apply to all web applications: api and websites.

• [x] Sign all release tags, and maybe commits as well (APP-COMMITSIG)
  • Developers should configure git to sign all tags and upload their PGP fingerprint to https://login.mozilla.com
  • The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code.
• [x] Publish detailed logs in mozlog format (APP-MOZLOG)
  • Business logic must be logged with app specific codes (errno)
  • Access control failures must be logged at WARN level
• [x] Must have a CSP with (APP-CSP)
  • [x] a report-uri pointing to the service's own /__cspreport__ endpoint
  • [x] web APIs should set default-src to none, disallowing all content rendering
  • [x] if default-src is not self, frame-src and object-src should be none or only allow specific origins
  • [x] no use of unsafe-inline or unsafe-eval
• [x] User data must be escaped for the right context prior to reflecting it (APP-ESCAPE)
• [x] Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s (APP-NOHTML)
• [x] All SQL queries must be parameterized, not concatenated (APP-SQL)
• [x] Apply sensible limits to user inputs, see input validation (APP-INPUTVAL)
• [x] When managing permissions, make sure access controls are enforced server-side (APP-ACL)
• [x] Set the Secure and HTTPOnly flags on Cookies, and use sensible Expiration (APP-SECCOOKIE)
• Keep 3rd-party libraries up to date (APP-DEPS)
  • [x] Use NSP or GreenKeeper for NodeJS applications
  • [x] For Python applications, enable pyup security updates:
  • Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml)
  • Add https://github.com/mozsvcpyup as a collaborator to your repo
  • Notify secops@mozilla.com to enable the integration in pyup
  • Consider using pip --outdated or requires.io too
• [x] If handling cryptographic keys, must have a mechanism to handle quarterly key rotations (APP-KEYROT)
  • Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable in case of emergency.
• [x] Applications must use accounts with limited GRANTS when connecting to databases (APP-DBPRIV)
  • In particular, applications must not use admin or owner accounts, to decrease the impact of a sql injection vulnerability.
• [x] fork, exec, subprocess, child_process, etc. calls passing user input to a binary should be sandboxed

(edit) - crossed out N/A items

[jvehent]

The base setup already gets a B+ on the observatory so I checked the sections that already pass. Please go through the unchecked items, preferably before going live.

[pdehaan]

27/27... @jvehent @clouserw Any objections to us closing this?

[ghost]

I'm happy if @jvehent is happy

[jvehent]

No objection. Thanks for going through it!