0
Mozilla & The Future of Security            Michael Coates          mcoates@mozilla.com       michael-coates.blogspot.com ...
Security Reality                      Reality in The World “The global cost ofcybercrime is greaterthan the combined effec...
Agenda• Security is a part of everything• Together we can build a secure web• A trip through the Mozilla Security Lifecycl...
Security is Life & DeathInternet Enabled Pacemaker                 Internet Connected Oven                                ...
Importance of Security• Technology integrated into all aspects of daily life• Security enables technology advancements int...
Building a Secure Webwith Mozilla Community
Tackling Security• Difficult security problems• Need brilliant, creative thinkers• Mozilla community can unite to lead sec...
Security Challenges Facing Today• Boot 2 Gecko• MarketPlace• Apps• Mobile Firefox• Identity• User Data!
Community & Security• Firefox & Web Bounty Programs• Security Review Process
Firefox Bounty Program• Encourage security research• Goal is protect our users• Eligibility: new sg:critical and sg:high  ...
Web Bounty Program• Bounties paid for web security issues in critical web sites• Increase your security testing skills on ...
Bounty Program• 2011 Bugs Submitted: 132 (+51 dupes)     Across 13 products, 45 components•   bugzilla.mozilla.org        ...
Participate in Security!• Security reviews always open • https://wiki.mozilla.org/Security/Reviews• Training for Security ...
Mozilla SecurityLifecycle
Mozilla Security Program• Early & often• Security embedding• Team effort & approach• Early security guidance  eliminates c...
Phases of Security• Security Integrated Into: • Planning • Development • QA• Network & Host security hardening• Security r...
Security in Planning Phase• Threat Modeling• Risk Analysis
Security in Development Phase• Secure Coding Guidelines• Hands on Security Training        https://wiki.mozilla.org/WebApp...
Security in QA Phase• QA Security Tests • Pass / Fail style testing • Integrates security in existing processes        htt...
Hardening the Infrastructure• Secure Network Design • Network Isolation • Security Zones • Firewalls, ACLs• Host Hardening...
Security Review Prior to Launch• Secure Code Reviews• Application specific penetration testing• Automated security verific...
Attack Monitoring & Response• Continuous Monitoring• Ongoing Security Verification
Securing CommunityServers
Basics• Passwords - Change default root password• Close Unneeded Ports - Use nmap to check• Updates - Keep it patched!
Next Steps•   SSH    •   Disable root logins - e.g. ssh as low privilege and sudo    •   Enable PubKey authentication (use...
Other Tips• Enhanced Protections / Logging: • OSSEC - monitors for attacks, can auto block • AuditD - detailed logging of ...
Unite!•   #security on irc•   dev-security mailing list•   https://wiki.mozilla.org/Security•   Upcoming Talks    •   [16:...
Wrap Up• Security is a requirement for the success of the future open   web• This will be challenging, but we’ve tackled b...
Thanks         michael coates     mcoates@mozilla.com           :mcoates            @_mwc
MozCamp Buenos Aires - Mozilla Security
Upcoming SlideShare
Loading in...5
×

MozCamp Buenos Aires - Mozilla Security

771

Published on

Presentation given at the 2012 Mozcamp in Buenos Aires

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
771
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Transcript of "MozCamp Buenos Aires - Mozilla Security"

    1. 1. Mozilla & The Future of Security Michael Coates mcoates@mozilla.com michael-coates.blogspot.com @_mwc
    2. 2. Security Reality Reality in The World “The global cost ofcybercrime is greaterthan the combined effecton the global economy oftrafficking in marijuana,heroin and cocaine” theregister.co.uk datalossdb.org Mozilla Manifesto “Individuals security on the Internet is fundamental and cannot be treated as optional.”
    3. 3. Agenda• Security is a part of everything• Together we can build a secure web• A trip through the Mozilla Security Lifecycle• Securing Community Servers
    4. 4. Security is Life & DeathInternet Enabled Pacemaker Internet Connected Oven http://www.tmio.com/products/ http://www.reuters.com/article/2009/08/11/us-pacemaker-idUSTRE5790AK20090811
    5. 5. Importance of Security• Technology integrated into all aspects of daily life• Security enables technology advancements into critical spaces• Continued technology expansion requires security • Cars, Planes, Humans • Utilities - Power, Water • Internet Enabled Ovens, Pacemakers
    6. 6. Building a Secure Webwith Mozilla Community
    7. 7. Tackling Security• Difficult security problems• Need brilliant, creative thinkers• Mozilla community can unite to lead security solutions for the open web
    8. 8. Security Challenges Facing Today• Boot 2 Gecko• MarketPlace• Apps• Mobile Firefox• Identity• User Data!
    9. 9. Community & Security• Firefox & Web Bounty Programs• Security Review Process
    10. 10. Firefox Bounty Program• Encourage security research• Goal is protect our users• Eligibility: new sg:critical and sg:high http://www.mozilla.org/security/bug-bounty.html
    11. 11. Web Bounty Program• Bounties paid for web security issues in critical web sites• Increase your security testing skills on live site• Critical & High vulnerabilities - SQL injection, cross site scripting, etc• Source code always available http://www.mozilla.org/security/bug-bounty.html
    12. 12. Bounty Program• 2011 Bugs Submitted: 132 (+51 dupes) Across 13 products, 45 components• bugzilla.mozilla.org • www.getfirefox.com• *.services.mozilla.com • addons.mozilla.org• getpersonas.com • services.addons.mozilla.org• aus*.mozilla.org • versioncheck.addons.mozilla.org• www.mozilla.com/org • pfs.mozilla.org• www.firefox.com • download.mozilla.org
    13. 13. Participate in Security!• Security reviews always open • https://wiki.mozilla.org/Security/Reviews• Training for Security Testing • http://people.mozilla.org/~mcoates/WebSecurityLab.html• Building New Tools to Aid • Garmr - https://github.com/mozilla/Garmr • Zed Attack Proxy - https://www.owasp.org/index.php/ OWASP_Zed_Attack_Proxy_Project
    14. 14. Mozilla SecurityLifecycle
    15. 15. Mozilla Security Program• Early & often• Security embedding• Team effort & approach• Early security guidance eliminates costly changes late in development
    16. 16. Phases of Security• Security Integrated Into: • Planning • Development • QA• Network & Host security hardening• Security review before launch• Ongoing security testing & monitoring
    17. 17. Security in Planning Phase• Threat Modeling• Risk Analysis
    18. 18. Security in Development Phase• Secure Coding Guidelines• Hands on Security Training https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines http://people.mozilla.org/~mcoates/WebSecurityLab.html
    19. 19. Security in QA Phase• QA Security Tests • Pass / Fail style testing • Integrates security in existing processes https://wiki.mozilla.org/WebAppSec/Secure_Coding_QA_Checklist
    20. 20. Hardening the Infrastructure• Secure Network Design • Network Isolation • Security Zones • Firewalls, ACLs• Host Hardening • Attack Detection - OSSEC • Detailed Logging - AuditD • Hardened OS (mandatory access controls) - RSBAC
    21. 21. Security Review Prior to Launch• Secure Code Reviews• Application specific penetration testing• Automated security verification• Repeatable test suites with app specific tests https://wiki.mozilla.org/WebAppSec/Web_Security_Verification
    22. 22. Attack Monitoring & Response• Continuous Monitoring• Ongoing Security Verification
    23. 23. Securing CommunityServers
    24. 24. Basics• Passwords - Change default root password• Close Unneeded Ports - Use nmap to check• Updates - Keep it patched!
    25. 25. Next Steps• SSH • Disable root logins - e.g. ssh as low privilege and sudo • Enable PubKey authentication (users need passphrases for their keys)• Updates • Install via packages - package manager allows easy update• Watch Out For: • Telnet, FTP - Password sent in the clear • PHPMyAdmin - Riddled with vulnerabilities
    26. 26. Other Tips• Enhanced Protections / Logging: • OSSEC - monitors for attacks, can auto block • AuditD - detailed logging of activities on system• Beyond Security • Backup Plans • Documentation • Automation
    27. 27. Unite!• #security on irc• dev-security mailing list• https://wiki.mozilla.org/Security• Upcoming Talks • [16:40 Sat] Privacy and User Control - Stacy Martin • [12:55 Sun] B2G & App Security Model - Lucas Adamski & Camilo Viecco • [13:40 Sun] Getting a Handle on Privacy & Security - Shane Caraveo
    28. 28. Wrap Up• Security is a requirement for the success of the future open web• This will be challenging, but we’ve tackled big problems before• Let’s keep enhancing our security lifecycle to protect our users and the web
    29. 29. Thanks michael coates mcoates@mozilla.com :mcoates @_mwc
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×