Security/Process/Vendor Reviews: Difference between revisions

Jump to navigation Jump to search

Security/Process/Vendor Reviews (view source)

Revision as of 15:40, 1 May 2017

6,920 bytes removed ,  1 May 2017
Deleted page as it was never ratified and now is obsolete.
(Deleted page as it was never ratified and now is obsolete.)
 
Line 1: Line 1:
Status: Draft
[deleted/obsolete]
Date: 2013.12.31
ToDo:
* Final Sign Off
 
= Document Purpose =
The Vendor review process seeks to discover the risks that may exist by the use or installation of products and services from 3rd parties as part of regular work functions for Mozilla. This allows the business to take actions as appropriate for the business case in question.
 
== Supporting Documents ==
* [[/Risk_Categories|Vendor Risk Categories]]
* [[/Review_Questions|Vendor Review Questionaire]]
 
= Initiating the Process =
The process may be initiated in the following ways.
#'''File a bug directly'''
#* <b>[https://bugzilla.mozilla.org/enter_bug.cgi?alias=&assigned_to=nobody%40mozilla.org&attach_text=&blocked=&bug_file_loc=http%3A%2F%2F&bug_ignored=0&bug_severity=normal&bug_status=NEW&cf_blocking_b2g=---&cf_crash_signature=&comment=The%20vendor%20should%20respond%20to%20the%20following%20questions%20and%20this%20information%20should%20be%20added%20to%20the%20bug.%20In%20some%20situations%20particular%20questions%20may%20be%20not%20applicable%20to%20the%20vendor%2Fsystem.%0D%0A%0D%0A1%29%20Overall%0D%0A%2A%20Please%20describe%20the%20overall%20purpose%20of%20the%20system%20and%20how%20Mozilla%20data%20will%20be%20integrated%0D%0A2%29%20Security%20Management%0D%0A%2A%20Have%20you%20performed%20internal%20security%20audits%20of%20your%20code%20or%20application%20that%2C%20at%20a%20minimum%2C%20addressed%20the%20OWASP%20Top%2010%3F%20If%20so%2C%20please%20provide%20a%20description%20of%20the%20review%20and%20results.%0D%0A%2A%20Has%20a%20security%20audit%20been%20performed%20by%20an%20external%20third%20party%3F%20If%20so%2C%20who%20performed%20this%20audit%20and%20are%20the%20results%20available%3F%0D%0A%2A%20How%20do%20you%20protect%20Mozilla%20data%20that%20will%20be%20stored%20on%20your%20servers%20or%20within%20your%20applications%3F%0D%0A%2A%20How%20do%20you%20prevent%20other%20customers%20of%20your%20service%20from%20obtaining%20access%20to%20data%20provided%20by%20Mozilla%3F%0D%0A%2A%20What%20is%20your%20disclosure%20policy%20to%20customers%20in%20the%20event%20of%20a%20compromise%20of%20your%20servers%2C%20applications%20or%20any%20related%20infrastructure%20that%20interacts%20with%20the%20applications%20holding%20Mozilla%20data%3F%0D%0A%2A%20Have%20you%20suffered%20a%20security%20compromise%20in%20the%20past%2024%20months%3F%20If%20so%2C%20please%20provide%20details%20and%20remediation%20that%20occurred%20as%20a%20result.%0D%0A%2A%20What%20other%20large%20engagements%2Fclients%20have%20you%20supported%20with%20this%20application%3F%0D%0A3%29%20Technical%20Design%0D%0A%2A%20Do%20you%20support%20full%20SSL%20communication%20for%20all%20inbound%20and%20outbound%20communications%3F%0D%0A%2A%20Describe%20the%20technology%20stack%20of%20the%20application%20and%20infrastructure.%0D%0A%2A%20What%20options%20do%20your%20support%20for%20authentication%3F%0D%0A%2A%2A%20username%2Fpassword%0D%0A%2A%2A%20certificate%20based%20authentication%0D%0A%2A%2A%20secret%20token%0D%0A%2A%20Are%20authentication%20secrets%20%28e.g.%20passwords%29%20stored%20in%20a%20non-reversible%20form%20within%20your%20database%20%28e.g.%20hashing%29%3F%0D%0A%2A%20What%20type%20of%20hashing%20algorithm%20do%20you%20use%20%28e.g.%20sha512%2C%20md5%2C%20bcrypt%29%3F%0D%0A%2A%20Are%20salts%20added%20to%20the%20hashing%20algorithm%20which%20are%20unique%20for%20each%20user%3F%0D%0A%2A%20Will%20user%20passwords%20%28or%20authentication%20secrets%29%20be%20available%20to%20any%20other%20users%20via%20any%20functionality%20%28example%2C%20admin%20users%20can%20see%20clear%20text%20passwords%20of%20users%29%3F%0D%0A%2A%20Do%20you%20use%20third%20party%20servers%20or%20do%20you%20host%20the%20servers%20yourself%3F%0D%0A%2A%20Do%20you%20use%20any%20third%20party%20services%20or%20communicate%20with%20any%20third%20parties%20from%20this%20application%3F%0D%0A4%29%20Security%20Verification%0D%0A%2A%20Will%20testing%20of%20the%20running%20application%20be%20possible%3F%0D%0A%2A%20Will%20source%20code%20for%20their%20application%20be%20available%3F%0D%0A%2A%20Do%20you%20have%20attestation%20reports%20from%20any%20other%20vendors%20regarding%20your%20security%20posture%3F%0D%0A%2A%20Do%20you%20have%20any%20other%20security%20certifications%20that%20may%20be%20relevant%3F&component=Security%20Assurance%3A%20Review%20Request&contenttypeentry=&contenttypemethod=autodetect&contenttypeselection=text%2Fplain&data=&defined_groups=1&dependson=&description=&flag_type-4=X&flag_type-607=X&flag_type-791=X&flag_type-800=X&form_name=enter_bug&groups=mozilla-corporation-confidential&keywords=&maketemplate=Remember%20values%20as%20bookmarkable%20template&op_sys=All&priority=--&product=mozilla.org&qa_contact=&rep_platform=All&requestee_type-4=&requestee_type-607=&requestee_type-791=&requestee_type-800=&short_desc=Vendor%20Sec%20Review%3A%20%5Bvendor%20name%5D&status_whiteboard=%5Bpending%20secreview%5D&target_milestone=---&version=other direct bugzilla link]</b>
#* The vendor should respond to the [[/Review_Questions|questions]] in comment 0 (included in the direct link).  In some situations particular questions may be not applicable to the vendor/system.
 
#'''Project Kickoff'''
#* <b>[https://bugzilla.mozilla.org/form.moz-project-review Project Kick-Off Form]</b>
#* The kickoff form currently does not contain the [/Review_Questions| review questions]] that will need to be answered.
 
<b><u>Notes:</u></b>
* Bugs will be [https://wiki.mozilla.org/Security/Process/Secreview_Bug_Process triaged] weekly by the Security Program Management team (currently Wednesdays at 2pm PST).
* For urgent security reviews, please contact curtisk ?
* If possible and practival the vendor may be added to the cc list of the bug as these bugs are flagged to  "Confidential Mozilla Corporation Bug" group. This will allow the vendor to respond directly to any questions or followup items in a timeley manner and not be delayed by having to pass information through intermediaries. This flag should <b>never</b> be removed on this bug category.
 
= Bug Lifecycle =
# Once the questions have been responded to by the Vendor, either in an attachment to the bug or in a direct comment, the bug will be assigned work sprint(s) for the necessary work to be completed based on it's risk category.
# If supporting documentation is needed (ie. audit reports, other supporting documentation) that will also be requested and attached to the bug.
# If a penetration test by Mozilla Security Assurance staff is to be preformed a blocking bug shall be filled and assigned for that portion of the work to be tracked and scheduled.
# Any findings of risk shall be noted in the bug and categorized via published Security Assurance standards in either the Mozilla Wiki or Mana as appropriate.
# Once all review questions, follow-up questions, and required supporting documents have been supplied the bug shall be have it's status changed to RESOLVED-FIXED.
Jbryner
Confirmed users
65

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1169797"

Navigation menu