1316298 - Risk record for Symbol API

Status: RESOLVED WORKSFORME

(Security Assurance :: Risk Record, task)

Description

[Julien Vehent]

Summary
--------

RRA: https://docs.google.com/spreadsheets/d/1kJTSEg9BgT4F8xYkip-nOLJRQ8Aeg9iTx87grv8cu7U/edit#gid=0
Data classification: PUBLIC
Estimated risk: LOW
Worst case Impact: MEDIUM

The Symbolication service (symbolapi.mozilla.org) is an API used for symbolicating Firefox stacks. It uses data from symbols.mozilla.org to matches PC addresses to modules in memory and looks up the corresponding function names in server-side symbol files. The service is used by developers and may be used by telemetry when processing crashes in the future. 

Risk identification
-------------------
1. MEDIUM risk to productivity if the service is down as it would delay developers when investigating crashes.

Recommendations
---------------

1. The service should be hosted according to Cloud Services operational and security standards, and implement the Cloudsec security checklist from https://wiki.mozilla.org/Security/CloudSec#Security_Checklist. The low risk of running this service means no specific requirements are needed beyond standard operations.

Actions for you
---------------
The assignee of this bug should create implementation bugs/issues for each of the recommendations listed above. This risk record bug will remain open for the lifetime of the service. Please close this bug only when the service is decommissioned.

Comment 2

[Greg G]

Reassigned to lonnen. Their rewrite of the service: https://github.com/mozilla-services/tecken

Comment 3

[Lonnen :lonnen]

per https://bugzilla.mozilla.org/show_bug.cgi?id=1249192#c13 this service can be decomm'd rather than fixed