{"id":703,"date":"2012-05-08T17:06:51","date_gmt":"2012-05-09T00:06:51","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=703"},"modified":"2013-05-16T16:43:59","modified_gmt":"2013-05-16T23:43:59","slug":"speeding-up-security-reviews","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2012\/05\/08\/speeding-up-security-reviews\/","title":{"rendered":"Speeding Up Security Reviews"},"content":{"rendered":"<p>At Mozilla we have a strong commitment to <a title=\"(See #4 in particular)\" href=\"http:\/\/www.mozilla.org\/about\/manifesto.en.html#principles\" target=\"_blank\">security<\/a>; unfortunately due to the volume of work underway at Mozilla we sometimes have a bit of a backlog in getting security reviews done.<\/p>\n<p>Want to speed up your security review request?\u00a0 You can dramatically increase the turn around time for your security review request by providing the information below.\u00a0 In addition to this, we are working to expand our overall security review process documentation; you can follow those efforts <a href=\"https:\/\/wiki.mozilla.org\/Security\/ReviewProcess\">here<\/a>.<\/p>\n<h2 id=\"magicdomid7\">1. Architecture Diagram<\/h2>\n<p>An architecture diagram illustrates how the various components of the service communicate with one another.\u00a0 This information allows the individual doing the security review to understand which services are required, how and where data is stored, and provides a general understanding of how the application or service works.\u00a0 Producing an architecture diagram is a good practice as it allows anyone to get a rapid view of how complex a system is, and can inform how much time it will take to work through a review of the system.<\/p>\n<p><a href=\"\/\/blog.mozilla.org\/security\/files\/2012\/05\/1.Architecture.F11.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-717\" title=\"Mozilla F1 Architecture\" src=\"\/\/blog.mozilla.org\/security\/files\/2012\/05\/1.Architecture.F11-252x385.png\" alt=\"Legacy F1 Service Architecture\" width=\"252\" height=\"385\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2012\/05\/1.Architecture.F11-252x385.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2012\/05\/1.Architecture.F11.png 392w\" sizes=\"(max-width: 252px) 100vw, 252px\" \/><\/a><\/p>\n<div><\/div>\n<h3 id=\"magicdomid11\">Examples<\/h3>\n<ul>\n<li><a href=\"http:\/\/people.mozilla.com\/~yboily\/identity\/assets\/images-1\/s31.b.jpeg\" target=\"_blank\">BrowserID Protocol High Level<\/a><\/li>\n<li><a href=\"https:\/\/people.mozilla.com\/~ckoenig\/App-Marketplace.jpg\" target=\"_blank\">Apps MarketPlace<\/a><\/li>\n<\/ul>\n<p id=\"magicdomid16\">Note that these are just examples; the architecture diagram is intended to help the reviewer visualize what they are assessing.\u00a0 It doesn&#8217;t have to be a fancy diagram, and our team has worked from camera shots of whiteboards from meetings!<\/p>\n<p style=\"text-align: center;\"><img decoding=\"async\" loading=\"lazy\" class=\" wp-image-716 aligncenter\" title=\"marketplace-whiteboard\" src=\"\/\/blog.mozilla.org\/security\/files\/2012\/05\/whiteboard-252x189.jpg\" alt=\"Marketplace Architecture\" width=\"252\" height=\"189\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2012\/05\/whiteboard-252x189.jpg 252w, https:\/\/blog.mozilla.org\/security\/files\/2012\/05\/whiteboard-620x465.jpg 620w\" sizes=\"(max-width: 252px) 100vw, 252px\" \/><\/p>\n<div><\/div>\n<h2 id=\"magicdomid18\">2. Detailed Application Diagram<\/h2>\n<p id=\"magicdomid20\">A Detailed Application Diagram is essentially a Dataflow diagram;\u00a0 a data flow diagram enumerates each application or service that is a component of a system, and provides a list of the paths that data can flow through.\u00a0 A dataflow diagram helps the security reviewer to understand how data moves through the system, how different operations are performed, and if detailed enough, how different roles within the system access different operations.<\/p>\n<p id=\"magicdomid22\">While there are a number of different opinions on the &#8220;best way&#8221; to do a DFD, it is more helpful to have the information than it is to focus on presenting the information &#8220;the right way&#8221;.<\/p>\n<div id=\"magicdomid23\"><\/div>\n<h3 id=\"magicdomid24\">Examples<\/h3>\n<ul>\n<li><a href=\"https:\/\/wiki.mozilla.org\/images\/b\/bf\/MozillaF1-Diagram.png\" target=\"_blank\">Mozilla F1 Dataflow Diagram<\/a><\/li>\n<li><a href=\"https:\/\/wiki.mozilla.org\/images\/2\/22\/BrowserID-Threat-Model.png\" target=\"_blank\">BrowserID Detailed Dataflows<\/a><\/li>\n<li><a href=\"https:\/\/people.mozilla.com\/~ckoenig\/App-Marketplace.jpg\" target=\"_blank\">Apps Marketplace<\/a><\/li>\n<\/ul>\n<div id=\"magicdomid28\"><\/div>\n<h2 id=\"magicdomid29\">3. Data flow enumeration<\/h2>\n<div id=\"magicdomid31\">An enumeration of data flows in the application explains how and what data moves between various components.\u00a0 Note that this doesn&#8217;t need to be a rigorous explanation of fields; in this case we want a general description of the message, the origin of the message (browser, third party, service, database, etc), the general contents (e.g. &#8220;description of the add-on&#8221;, &#8220;content to be shared&#8221;, etc), and a list of sensitive fields.<\/div>\n<div id=\"magicdomid32\"><\/div>\n<h3 id=\"magicdomid33\">Examples<\/h3>\n<ul>\n<li><a href=\"https:\/\/wiki.mozilla.org\/Security\/Reviews\/Identity\/browserid#1._Provisioning\">BrowserID Dataflow Enumeration<\/a><\/li>\n<\/ul>\n<div id=\"magicdomid36\"><\/div>\n<h2 id=\"magicdomid37\">4. Threat Analysis<\/h2>\n<div id=\"magicdomid38\"><\/div>\n<div id=\"magicdomid39\">The next step is reviewing all of this information to build out a list of the threats to an application.\u00a0 The important bit here is that you, as a developer or contributor, know how an application or system works.\u00a0 You know what a good set of the failure modes of the application are, and you understand the &#8216;business logic&#8217; of the application.\u00a0 Many developers have a working knowledge of vulnerabilities, and can identify these types of issues.<\/div>\n<div id=\"magicdomid40\"><\/div>\n<div id=\"magicdomid41\">In order to properly perform a threat analysis a reviewer needs to understand how the various components of the system work, what threats exist, and be able to identify what mitigating controls have been put into place.<\/div>\n<div><\/div>\n<div>Here is an example of what a threat analysis might look like (links below):<\/div>\n<div><a href=\"https:\/\/wiki.mozilla.org\/Security\/Reviews\/F1#Threat_Model\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-large wp-image-724\" title=\"Mozilla F1 Threat Analysis Screencap\" src=\"\/\/blog.mozilla.org\/security\/files\/2012\/05\/Screen-Shot-2012-05-08-at-3.29.49-PM1-620x390.png\" alt=\"\" width=\"620\" height=\"390\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2012\/05\/Screen-Shot-2012-05-08-at-3.29.49-PM1-620x390.png 620w, https:\/\/blog.mozilla.org\/security\/files\/2012\/05\/Screen-Shot-2012-05-08-at-3.29.49-PM1-252x158.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2012\/05\/Screen-Shot-2012-05-08-at-3.29.49-PM1.png 1012w\" sizes=\"(max-width: 620px) 100vw, 620px\" \/><\/a>The threat analysis should contain, at a minimum the following information:<\/div>\n<div>\n<ul>\n<li>ID &#8211; a identifier for the threat<\/li>\n<li>Title &#8211; a concise description of the threat<\/li>\n<li>Threat &#8211; a description of the threat<\/li>\n<li>Mitigations &#8211; a recommendation for a control that can be implemented<\/li>\n<li>Threat Agent &#8211; a list of the potential actors considered that would exploit a vulnerability<\/li>\n<li>Notes &#8211; Related comments that contribute to the analysis, but don&#8217;t belong in other columns<\/li>\n<li>Rating &#8211; A qualitative scoring for a vulnerability in the context of this application<\/li>\n<li>Impact &#8211; A qualitative score representing the impact should a vulnerability be exploited<\/li>\n<li>Likelihood &#8211; A qualitative score representing the likelihood of a vulnerability being exploited<\/li>\n<\/ul>\n<p>Additional information on how we assess and rate threats will be published as part of the documentation for our risk rating and <a href=\"https:\/\/wiki.mozilla.org\/Security\/Reviews\/#Performing_a_Security_Review\">security review processes<\/a>.<\/p>\n<\/div>\n<h3 id=\"magicdomid43\">Examples<\/h3>\n<ul>\n<li><a href=\"https:\/\/wiki.mozilla.org\/Security\/Reviews\/F1#Threat_Model\">Mozilla F1 Threats<\/a><\/li>\n<li><a href=\"https:\/\/wiki.mozilla.org\/Security\/Reviews\/Identity\/browserid#Threat_Model\">BrowserID Threats<\/a><\/li>\n<\/ul>\n<h2>Help us help you!<\/h2>\n<p>Part of determining the scope of a security review is understanding how an application works and what the risks are; the documentation described in this post helps us to understand this and will ensure that we can complete a security review as quickly as possible.\u00a0 Beyond that, as teams understand how security reviews are performed it gives them the opportunity to take ownership of security and build it more effectively into their own processes.<\/p>\n<p>As with other Mozilla teams we are actively pursuing better community engagement and always welcome feedback.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>At Mozilla we have a strong commitment to security; unfortunately due to the volume of work underway at Mozilla we sometimes have a bit of a backlog in getting security &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2012\/05\/08\/speeding-up-security-reviews\/\">Read more<\/a><\/p>\n","protected":false},"author":1438,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Speeding Up Security Reviews - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2012\/05\/08\/speeding-up-security-reviews\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"mozilla\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2012\/05\/08\/speeding-up-security-reviews\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2012\/05\/08\/speeding-up-security-reviews\/\",\"name\":\"Speeding Up Security Reviews - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2012-05-09T00:06:51+00:00\",\"dateModified\":\"2013-05-16T23:43:59+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2012\/05\/08\/speeding-up-security-reviews\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2012\/05\/08\/speeding-up-security-reviews\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2012\/05\/08\/speeding-up-security-reviews\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Speeding Up Security Reviews\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9\",\"name\":\"mozilla\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/98138a294cb6e19a68b02ef8ca9be2dc\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g\",\"caption\":\"mozilla\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Speeding Up Security Reviews - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2012\/05\/08\/speeding-up-security-reviews\/","twitter_misc":{"Written by":"mozilla","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2012\/05\/08\/speeding-up-security-reviews\/","url":"https:\/\/blog.mozilla.org\/security\/2012\/05\/08\/speeding-up-security-reviews\/","name":"Speeding Up Security Reviews - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2012-05-09T00:06:51+00:00","dateModified":"2013-05-16T23:43:59+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2012\/05\/08\/speeding-up-security-reviews\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2012\/05\/08\/speeding-up-security-reviews\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2012\/05\/08\/speeding-up-security-reviews\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Speeding Up Security Reviews"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/70ae25c16f09d053c6d8b5eac29dbda9","name":"mozilla","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/98138a294cb6e19a68b02ef8ca9be2dc","url":"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/75d2017e019c87560fe5d148a64659dc?s=96&d=identicon&r=g","caption":"mozilla"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/703"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1438"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=703"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/703\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=703"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=703"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=703"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=703"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}