2. Mozilla & The Future of Security
Michael Coates
mcoates@mozilla.com
michael-coates.blogspot.com
@_mwc
3. Security Reality
Reality in The World
“The global cost of
cybercrime is greater
than the combined effect
on the global economy of
trafficking in marijuana,
heroin and cocaine”
theregister.co.uk datalossdb.org
Mozilla Manifesto
“Individuals' security on the Internet is
fundamental and cannot be treated as
optional.”
4. Agenda
• Security is a part of everything
• Together we can build a secure web
• A trip through the Mozilla Security Lifecycle
• Securing Community Servers
5. Security is Life & Death
Internet Enabled Pacemaker Internet Connected Oven
http://www.tmio.com/products/
http://www.reuters.com/article/2009/08/11/us-pacemaker-idUSTRE5790AK20090811
6. Importance of Security
• Technology integrated into all aspects of daily life
• Security enables technology advancements into critical
spaces
• Continued technology expansion requires security
• Cars, Planes, Humans
• Utilities - Power, Water
• Internet Enabled Ovens, Pacemakers
8. Tackling Security
• Difficult security problems
• Need brilliant, creative thinkers
• Mozilla community can unite to lead security solutions for
the open web
11. Firefox Bounty Program
• Encourage security research
• Goal is protect our users
• Eligibility: new sg:critical and sg:high
http://www.mozilla.org/security/bug-bounty.html
12. Web Bounty Program
• Bounties paid for web security issues in critical web sites
• Increase your security testing skills on live site
• Critical & High vulnerabilities - SQL injection, cross site
scripting, etc
• Source code always available
http://www.mozilla.org/security/bug-bounty.html
14. Participate in Security!
• Security reviews always open
• https://wiki.mozilla.org/Security/Reviews
• Training for Security Testing
• http://people.mozilla.org/~mcoates/WebSecurityLab.html
• Building New Tools to Aid
• Garmr - https://github.com/mozilla/Garmr
• Zed Attack Proxy - https://www.owasp.org/index.php/
OWASP_Zed_Attack_Proxy_Project
16. Mozilla Security Program
• Early & often
• Security embedding
• Team effort & approach
• Early security guidance
eliminates costly changes
late in development
19. Security in Development Phase
• Secure Coding Guidelines
• Hands on Security Training
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
http://people.mozilla.org/~mcoates/WebSecurityLab.html
25. Basics
• Passwords - Change default root password
• Close Unneeded Ports - Use nmap to check
• Updates - Keep it patched!
26. Next Steps
• SSH
• Disable root logins - e.g. ssh as low privilege and sudo
• Enable PubKey authentication (users need passphrases for their
keys)
• Updates
• Install via packages - package manager allows easy update
• Watch Out For:
• Telnet, FTP - Password sent in the clear
• PHPMyAdmin - Riddled with vulnerabilities
27. Other Tips
• Enhanced Protections / Logging:
• OSSEC - monitors for attacks, can auto block
• AuditD - detailed logging of activities on system
• Beyond Security
• Backup Plans
• Documentation
• Automation
28. Unite!
• #security on irc
• dev-security mailing list
• https://wiki.mozilla.org/Security
• Upcoming Talks
• [16:40 Sat] Privacy and User Control - Stacy Martin
• [12:55 Sun] B2G & App Security Model - Lucas Adamski & Camilo
Viecco
• [13:40 Sun] Getting a Handle on Privacy & Security - Shane
Caraveo
29. Wrap Up
• Security is a requirement for the success of the future open
web
• This will be challenging, but we’ve tackled big problems
before
• Let’s keep enhancing our security lifecycle to protect our
users and the web
30. Thanks
michael coates
mcoates@mozilla.com
:mcoates
@_mwc