• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
MozCamp Buenos Aires - Mozilla Security
 

MozCamp Buenos Aires - Mozilla Security

on

  • 806 views

Presentation given at the 2012 Mozcamp in Buenos Aires

Presentation given at the 2012 Mozcamp in Buenos Aires

Statistics

Views

Total Views
806
Views on SlideShare
803
Embed Views
3

Actions

Likes
0
Downloads
2
Comments
0

1 Embed 3

http://us-w1.rockmelt.com 3

Accessibility

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

MozCamp Buenos Aires - Mozilla Security MozCamp Buenos Aires - Mozilla Security Presentation Transcript

  • Mozilla & The Future of Security Michael Coates mcoates@mozilla.com michael-coates.blogspot.com @_mwc
  • Security Reality Reality in The World “The global cost ofcybercrime is greaterthan the combined effecton the global economy oftrafficking in marijuana,heroin and cocaine” theregister.co.uk datalossdb.org Mozilla Manifesto “Individuals security on the Internet is fundamental and cannot be treated as optional.”
  • Agenda• Security is a part of everything• Together we can build a secure web• A trip through the Mozilla Security Lifecycle• Securing Community Servers
  • Security is Life & DeathInternet Enabled Pacemaker Internet Connected Oven http://www.tmio.com/products/ http://www.reuters.com/article/2009/08/11/us-pacemaker-idUSTRE5790AK20090811
  • Importance of Security• Technology integrated into all aspects of daily life• Security enables technology advancements into critical spaces• Continued technology expansion requires security • Cars, Planes, Humans • Utilities - Power, Water • Internet Enabled Ovens, Pacemakers
  • Building a Secure Webwith Mozilla Community
  • Tackling Security• Difficult security problems• Need brilliant, creative thinkers• Mozilla community can unite to lead security solutions for the open web
  • Security Challenges Facing Today• Boot 2 Gecko• MarketPlace• Apps• Mobile Firefox• Identity• User Data!
  • Community & Security• Firefox & Web Bounty Programs• Security Review Process
  • Firefox Bounty Program• Encourage security research• Goal is protect our users• Eligibility: new sg:critical and sg:high http://www.mozilla.org/security/bug-bounty.html
  • Web Bounty Program• Bounties paid for web security issues in critical web sites• Increase your security testing skills on live site• Critical & High vulnerabilities - SQL injection, cross site scripting, etc• Source code always available http://www.mozilla.org/security/bug-bounty.html
  • Bounty Program• 2011 Bugs Submitted: 132 (+51 dupes) Across 13 products, 45 components• bugzilla.mozilla.org • www.getfirefox.com• *.services.mozilla.com • addons.mozilla.org• getpersonas.com • services.addons.mozilla.org• aus*.mozilla.org • versioncheck.addons.mozilla.org• www.mozilla.com/org • pfs.mozilla.org• www.firefox.com • download.mozilla.org
  • Participate in Security!• Security reviews always open • https://wiki.mozilla.org/Security/Reviews• Training for Security Testing • http://people.mozilla.org/~mcoates/WebSecurityLab.html• Building New Tools to Aid • Garmr - https://github.com/mozilla/Garmr • Zed Attack Proxy - https://www.owasp.org/index.php/ OWASP_Zed_Attack_Proxy_Project
  • Mozilla SecurityLifecycle
  • Mozilla Security Program• Early & often• Security embedding• Team effort & approach• Early security guidance eliminates costly changes late in development
  • Phases of Security• Security Integrated Into: • Planning • Development • QA• Network & Host security hardening• Security review before launch• Ongoing security testing & monitoring
  • Security in Planning Phase• Threat Modeling• Risk Analysis
  • Security in Development Phase• Secure Coding Guidelines• Hands on Security Training https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines http://people.mozilla.org/~mcoates/WebSecurityLab.html
  • Security in QA Phase• QA Security Tests • Pass / Fail style testing • Integrates security in existing processes https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist
  • Hardening the Infrastructure• Secure Network Design • Network Isolation • Security Zones • Firewalls, ACLs• Host Hardening • Attack Detection - OSSEC • Detailed Logging - AuditD • Hardened OS (mandatory access controls) - RSBAC
  • Security Review Prior to Launch• Secure Code Reviews• Application specific penetration testing• Automated security verification• Repeatable test suites with app specific tests https://wiki.mozilla.org/WebAppSec/Web_Security_Verification
  • Attack Monitoring & Response• Continuous Monitoring• Ongoing Security Verification
  • Securing CommunityServers
  • Basics• Passwords - Change default root password• Close Unneeded Ports - Use nmap to check• Updates - Keep it patched!
  • Next Steps• SSH • Disable root logins - e.g. ssh as low privilege and sudo • Enable PubKey authentication (users need passphrases for their keys)• Updates • Install via packages - package manager allows easy update• Watch Out For: • Telnet, FTP - Password sent in the clear • PHPMyAdmin - Riddled with vulnerabilities
  • Other Tips• Enhanced Protections / Logging: • OSSEC - monitors for attacks, can auto block • AuditD - detailed logging of activities on system• Beyond Security • Backup Plans • Documentation • Automation
  • Unite!• #security on irc• dev-security mailing list• https://wiki.mozilla.org/Security• Upcoming Talks • [16:40 Sat] Privacy and User Control - Stacy Martin • [12:55 Sun] B2G & App Security Model - Lucas Adamski & Camilo Viecco • [13:40 Sun] Getting a Handle on Privacy & Security - Shane Caraveo
  • Wrap Up• Security is a requirement for the success of the future open web• This will be challenging, but we’ve tackled big problems before• Let’s keep enhancing our security lifecycle to protect our users and the web
  • Thanks michael coates mcoates@mozilla.com :mcoates @_mwc