Closed
Bug 780220
Opened 12 years ago
Closed 11 years ago
Vendor Sec Review: [Akamai]
Categories
(mozilla.org :: Security Assurance: Review Request, task)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: zandr, Unassigned)
Details
We'd like to use Akamai for streaming Air Mozilla. Initially this will be for public events, though we'd eventually like to use their auth scheme for mozillians-only and internal-only streams as well. No user data will be sent to Akamai, they use a token-based auth scheme. We have sent them a privacy questionnaire, I have not yet sent them the questions provided in the sec review wiki. Was a sec review done for the standard CDN offering?
Comment 1•12 years ago
|
||
A review may have been completed, but we've enhanced the process since then and it is worthwhile to send those new questions
The vendor should respond to the following questions and this information should be added to the bug. In some situations particular questions may be not applicable to the vendor/system. 1) Overall * Please describe the overall purpose of the system and how Mozilla data will be integrated 2) Security Management * Have you performed internal security audits of your code or application that, at a minimum, addressed the OWASP Top 10? If so, please provide a description of the review and results. * Has a security audit been performed by an external third party? If so, who performed this audit and are the results available? * How do you protect Mozilla data that will be stored on your servers or within your applications? * How do you prevent other customers of your service from obtaining access to data provided by Mozilla? * What is your disclosure policy to customers in the event of a compromise of your servers, applications or any related infrastructure that interacts with the applications holding Mozilla data? * Have you suffered a security compromise in the past 24 months? If so, please provide details and remediation that occurred as a result. * What other large engagements/clients have you supported with this application? 3) Technical Design * Do you support full SSL communication for all inbound and outbound communications? * Describe the technology stack of the application and infrastructure. * What options do your support for authentication? ** username/password ** certificate based authentication ** secret token * Do you use third party servers or do you host the servers yourself? * Do you use any third party services or communicate with any third parties from this application? 4) Security Verification * Will testing of the running application be possible? * Will source code for their application be available?
Whiteboard: [pending secreview] → [pending secreview][needs info]
Updated•12 years ago
|
Keywords: sec-review-needed
sweeping bugs and found this stale one, are we still looking to do this?
Flags: needinfo?(zandr)
Updated•12 years ago
|
Whiteboard: [pending secreview][needs info] → [pending secreview]
Reporter | ||
Comment 4•11 years ago
|
||
At this point, no, we are not looking at Akamai any longer.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(zandr)
Resolution: --- → WONTFIX
Updated•11 years ago
|
Whiteboard: [pending secreview]
You need to log in
before you can comment on or make changes to this bug.
Description
•