Enterprise Information Security

For Security incidents, investigation, risk analysis requests, reviews. The team formerly known as OpSec and currently known as EIS or infosec

Select a component to see open bugs in that component:

General

Bugs related to the operations security (OpSec) team. These include server/network related security issues. (more info).

Incident

Used whenever a security breach, data leak, or event occurs that requires incident response.

Investigation

Think you might have a security incident but need help figuring it out? Leaked passwords but don't know if they've been used? It goes here. If attack is in progress or data has been leaked and used/seen by third parties, use the Incident component instead.

MIG

For MIG, the Mozilla InvestiGator.

MozDef

For MozDef, the Mozilla Defense platform - Mozilla's SIEM.

NSM

For NSM, the Network Security Monitoring running at Mozilla.

Penetration Test

An adversarial exercise with the goal of demonstrating risks that could be exploited by a threat actor. Testing scope is heavily influenced by RRA and TM results, which should be completed prior to Penetration Testing.

Rapid Risk Analysis

The Rapid Risk (Impact) Assessment (also called Rapid Risk Analysis) is a 30 minutes or less discussion about the potential risks of a project. The RRA is high level and lightweight.

Risk Record

Risk recorded during a risk analysis. These entries represent the risks and recommendations made. Tracking of remediations, acceptance of risk ("wontfix"), or discussion is done here.

Threat Modeling

A review of the set of attack scenarios to consider against an application. They are more specific, thorough and often more time consuming than Rapid Risk (RRA). When a threat model or analysis is requested on a large service (ie, larger than a quick reply in a bug), an RRA is required to ensure that the security recommendations cover the areas of concerns of the service.

Vulnerability Assessment

A semi-automated point-in-time vulnerability assessment conducted by a vulnerability scanner and other “point and shoot” tools for an explicit set of target(s). May include a validation component, depending on scope.