Security Assurance and Security Operations

Security Assurance and Security Operations assist Mozillians in defining and operating security controls to ensure that data at Mozilla is protected consistently across the organization.

• we help you define the risks around your services and data
• we help projects design and implement security controls
• we maintain a risk-based inventory of systems and their functional security controls to help Mozilla management determine where to invest in security measures
• we develop a catalog of services and tools that help you appropriately secure your data
• we respond to security investigations and incidents
• we provide baseline practices and assist teams in defining their security standards

Documentation

Guidelines

• AWS Security Best practices for securely operating in Amazon Web Services
• Key Management Find out which algorithms are recommended, when to expire keys, etc.
• Kubernetes A high level guide of basic security needs for Kubernetes
• OpenSSH How to configure and use OpenSSH server and client securely
• Phishing A fraudulent practice of sending emails (or other communications) purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
• Web Security What headers, setup, etc. should you follow for your web site?

Risk assessment

• Assessing Security Risk An open framework to assess security risk from an operational perspective
• Likelihood Indicators A model for determining how security controls affect risk
• Rapid Risk Assessment (RRA) A rapid methodology to perform risk analysis and create a lightweight threat model.
• Scoring and other levels Standardized scoring and other levels that aren't directly representing risk levels.
• Standard Levels Standardized levels for security risk, effort and other measurements.

IAM

• OpenID Connect How to use OpenID Connect securely and make user’s session experience better
• SAML How to use SAML securely and make user’s session experience better

Fundamentals

• Rationales Explains and justifies the use of specific controls, principles
• Security Principles Most important security principles to follow - the baseline

Tools

• SSL Configuration Generator

Contact

Open a ticket with Security Assurance. For confidential information, send us an email to infosec@mozilla.com and encrypt using our public PGP key. Our full fingerprint is 0x85D77543B3D624B63CEA9E6DBC17301B491B3F21