Confirmed users
491
edits
Security/Reviews/Review Request Form: Difference between revisions
Security/Reviews/Review Request Form (view source)
Revision as of 18:28, 26 June 2012
, 26 June 2012→Security Assurance Security Review Request
| Line 35: | Line 35: | ||
#If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size): | #If you feel something is missing here or you would like to provide other kind of feedback, feel free to do so here (no limits on size): | ||
#Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite. | #Desired Date of review (if known from https://mail.mozilla.com/home/ckoenig@mozilla.com/Security%20Review.html) and whom to invite. | ||
= Security Assurance Vendor Review Request = | |||
The following basic questions are used to begin the security assessment of a particular vendor that will interact with Mozilla. | |||
#Overall | |||
#*Please describe the overall purpose of the system and how Mozilla data will be integrated | |||
#Security Management | |||
#*Have you performed internal security audits of your code or application that, at a minimum, addressed the OWASP Top 10? If so, please provide a description of the review and results. | |||
#*Has a security audit been performed by an external third party? If so, who performed this audit and are the results available? | |||
#*How do you protect Mozilla data that will be stored on your servers or within your applications? | |||
#*How do you prevent other customers of your service from obtaining access to data provided by Mozilla? | |||
#*What is your disclosure policy to customers in the event of a compromise of your servers, applications or any related infrastructure that interacts with the applications holding Mozilla data? | |||
#*Have you suffered a security compromise in the past 24 months? If so, please provide details and remediation that occurred as a result. | |||
#*What other large engagements/clients have you supported with this application? | |||
#Technical Design | |||
#*Do you support full SSL communication for all inbound and outbound communications? | |||
#*Describe the technology stack of the application and infrastructure. | |||
#*What options do your support for authentication? | |||
#**username/password | |||
#**certificate based authentication | |||
#**secret token | |||
#*Do you use third party servers or do you host the servers yourself? | |||
#*Do you use any third party services or communicate with any third parties from this application? | |||
#Security Verification | |||
#*Will testing of the running application be possible? | |||
#*Will source code for their application be available? | |||