Test Driven Security in Mozilla’s infrastructures

Test Driven Security (TDS) is the process of verifying the compliance of systems, networks and services against security policies.

We use four standardized levels: low, medium, high and maximum. Each level maps to specific requirements at the system, network and service levels. General policies, such as “must monitor root user activity on servers”, are derived into specific requirements that guide the technical choices, like “on linux servers, the audit daemon must monitor system calls from the root user for processes creations”.

TDS provides a way to control security compliance in near real time, and assist operational teams in the implementation and maintenance of secure infrastructures.

Compliance checks

OpSec built two systems to implement TDS: MIG and MozDef (it is worth noting that TDS is only one of the goals that these systems are built for).

• MIG (Mozilla InvestiGator) is a live forensic platform that queries endpoints in real time for security investigations. MIG runs an agent on every system that processes requests from investigators, and stores the results in a database.
• MozDef is Mozilla Defense Platform, a SIEM built to facilitate incident response. MozDef collects and analyzes millions of events every day, from sources across the Mozilla network.

MIG runs tests on target systems, retrieves the results and converts them into “compliance item” format. MozDef downloads compliance items from MIG at regular intervals, and stores them into its database. Users visualize the compliance items in a MozDef dashboard (powered by Kibana, the dashboard interface developed by Elasticsearch).