Security/Reviews/Review Request Form

From MozillaWiki
Jump to: navigation, search

This process not currently in use, maintaining for historical purposes

Link

Just looking for the project kick-off form link?

Here it is: Project Kick-Off Form

Am I in the right place?

The Security Assurance team provides security and privacy reviews for any new product feature, application or service created by Mozilla. These reviews are required before the new code is launched. We have many security reviews each quarter; it is best to file a security review request at the beginning of your project.

What happens during the security & privacy review?

The Security Assurance team will review the design and code to identify security vulnerabilities that could place users or the application/system at risk. In addition we review handling of user data to ensure the data is protected with technical controls and handled in line with our privacy principles. Also, don't hesitate to ask us questions during any point of code development. You can reach our team at security@mozilla.com

Security Assurance Security Review Request

You have a few options to engage the Security Assurance team.

  1. Bug Review security / privacy guidance needed within a bug
    • Simply use the flag "sec-review" to "?", anyone can nominate an item they feel we should review.
    • This automatically adds the bug to our triage and we'll soon jump on the bug to assist as needed
    • If an urgent response is needed for an emergency please notify Curtis Koenig (curtisk) and he will attempt to expidite.
    • Once triaged and accepted for review a requestee will be assigned from the security team (visible on the bug)
    • A tracking bug will be filled in the "Security Assurance:Security Review" component to document our activities and for metrics.
      • The security bug will then block the implementation bug until the review is completed.
    • If a review is deemed not necessary the flag will be set back to none
  2. For items without a bug or early in planning stages
    • File a new bug (via the link below) within Bugzilla for a review request.
    • Assign the bug to Product: Mozilla.org (under Other) and Security Assurance: Review Needed.

      Here is a direct bugzilla link <- IMPORTANT: Please use this url. It populates important data into the bug for tracking purposes. Without this data the request will get lost in bugzilla.

    • Please copy the questions below into the bug and answer them to help us properly handle your request.
  3. For Vendor reviews
    • Please file a bug for a Vendor Security Review using this direct bugzilla link. The vendor should respond to the questions below and this information should be added to the bug. In some situations particular questions may be not applicable to the vendor/system.


Questions to Address within Request Body

Security Assurance Review Request

  1. Who is/are the point of contact(s) for this review?
  2. Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):
  3. Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:
  4. Does this request block another bug? If so, please indicate the bug number
  5. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?
  6. To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal?
  7. Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)
    • Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
    • Are there any portions of the project that interact with 3rd party services?
    • Will your application/service collect user data? If so, please describe
  8. If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size):
  9. Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite.

Security Assurance Vendor Review Request

The following basic questions are used to begin the security assessment of a particular vendor that will interact with Mozilla.

  1. Overall
    • Please describe the overall purpose of the system and how Mozilla data will be integrated
  2. Security Management
    • Have you performed internal security audits of your code or application that, at a minimum, addressed the OWASP Top 10? If so, please provide a description of the review and results.
    • Has a security audit been performed by an external third party? If so, who performed this audit and are the results available?
    • How do you protect Mozilla data that will be stored on your servers or within your applications?
    • How do you prevent other customers of your service from obtaining access to data provided by Mozilla?
    • What is your disclosure policy to customers in the event of a compromise of your servers, applications or any related infrastructure that interacts with the applications holding Mozilla data?
    • Have you suffered a security compromise in the past 24 months? If so, please provide details and remediation that occurred as a result.
    • What other large engagements/clients have you supported with this application?
  3. Technical Design
    • Do you support full SSL communication for all inbound and outbound communications?
    • Describe the technology stack of the application and infrastructure.
    • What options do your support for authentication?
      • username/password
      • certificate based authentication
      • secret token
    • Are authentication secrets (e.g. passwords) stored in a non-reversible form within your database (e.g. hashing)?
    • What type of hashing algorithm do you use (e.g. sha512, md5, bcrypt)?
    • Are salts added to the hashing algorithm which are unique for each user?
    • Will user passwords (or authentication secrets) be available to any other users via any functionality (example, admin users can see clear text passwords of users)?
    • Do you use third party servers or do you host the servers yourself?
    • Do you use any third party services or communicate with any third parties from this application?
  4. Security Verification
    • Will testing of the running application be possible?
    • Will source code for their application be available?
    • Do you have attestation reports from any other vendors regarding your security posture?
    • Do you have any other security certifications that may be relevant?

A bug is filed now what?

Many security reviews will be handled by individuals, they will ask some questions, review the code and in some cases run tests (manual or automated) including fuzzers. If follow-up issues are found:

  1. A bug will be filled that:
    • Blocks the security review bug so we can track follow-up issues
    • Blocks the implementation bug so the engineering team can prioritize the work
  2. The main review bug will be "Resolved->Fixed" so that everyone knows the main review work is done
    • When any follow-up bugs are completed we will change the status to "Verified->Fixed"
      • This is done so any conversations about continuing work can be done at a later date if needed. And so that we can track the review as being done in a particular calendar quarter and not have them run on forever as followup bugs may have a lower priority.

Some items may need a larger pool of input or have a higher risk. In these cases a security review meeting will be conviened. These meetings occur as public meetings to allow anyone who may have input on the item to have their voice heard. These are held on a weekly pre-set first come first served basis so as to cause as little interuption to schedules as possible. Available slots are:

  • Monday & Wednesday at 1300 Pacific time
  • Thursday & Friday at 1000 Pacific time

If for some reason these times cannot or do not work for a geo-distributed team alternate times can be worked out.

The security reveiw calendar is publicly published here:

If you so choose you can request an open review date when you file your review bug so as be proactive about your projects schedule.

For inquiries about the schedule, or to schedule a meeting contact security@mozilla.com In cases where a review meeting is held the same process for bug lifecycle as above will be used.