Open Bug 1595168 Opened 6 years ago Updated 8 months ago

Add Prefixing to BMO API Tokens to make them more DLP friendly

Categories

(bugzilla.mozilla.org :: API, enhancement)

Product:
bugzilla.mozilla.org
Component:
API
Version:
Staging
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

People

(Reporter: claudijd, Unassigned)

Details

We're currently investigating DLP (Data Loss Protection) solutions for Slack and GitHub (and possibly other applications) and we'd like to be able to detect BMO API token leaks when and if they happen. However, BMO API tokens are not self-describing as BMO API tokens and look like any other token, making them hard to detect.

This proposal is to add some pre-fix to BMO API tokens such that DLP solutions can add detectors and quickly identify when a leak happens, classify as a BMO API token leak, remove it from the leak location, and possibly even revoke the BMO API token.

Doing this, I believe, could significantly reduce the impact of a BMO API token leak.

Some initial patterns to consider:

  • bmo-<legacy token>
  • bugzilla-<legacy token>

I am very interested in understanding any constructive criticism to such an approach, since this is somewhat of a new pattern to be asking of API token providers and the b- team has always been a very security savvy partner in the past.

Just wanted to add, that Github now has a Secret Scanning program, where you could enroll your product in and validate/alert/revoke leaked tokens automatically as they are found.

So changing the token format is a precursor and could be a good first step to automate the token lifecycle during leaks:

https://docs.github.com/en/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program

You need to log in before you can comment on or make changes to this bug.