Closed Bug 780220 Opened 12 years ago Closed 11 years ago

Vendor Sec Review: [Akamai]

Categories

(mozilla.org :: Security Assurance: Review Request, task)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: zandr, Unassigned)

Details

We'd like to use Akamai for streaming Air Mozilla.

Initially this will be for public events, though we'd eventually like to use their auth scheme for mozillians-only and internal-only streams as well. No user data will be sent to Akamai, they use a token-based auth scheme.

We have sent them a privacy questionnaire, I have not yet sent them the questions provided in the sec review wiki. Was a sec review done for the standard CDN offering?
A review may have been completed, but we've enhanced the process since then and it is worthwhile to send those new questions
The vendor should respond to the following questions and this information should be added to the bug. In some situations particular questions may be not applicable to the vendor/system.

1) Overall
* Please describe the overall purpose of the system and how Mozilla data will be integrated 
2) Security Management
* Have you performed internal security audits of your code or application that, at a minimum, addressed the OWASP Top 10? If so, please provide a description of the review and results.
* Has a security audit been performed by an external third party? If so, who performed this audit and are the results available?
* How do you protect Mozilla data that will be stored on your servers or within your applications?
* How do you prevent other customers of your service from obtaining access to data provided by Mozilla?
* What is your disclosure policy to customers in the event of a compromise of your servers, applications or any related infrastructure that interacts with the applications holding Mozilla data?
* Have you suffered a security compromise in the past 24 months? If so, please provide details and remediation that occurred as a result.
* What other large engagements/clients have you supported with this application? 
3) Technical Design
* Do you support full SSL communication for all inbound and outbound communications?
* Describe the technology stack of the application and infrastructure.
* What options do your support for authentication?
** username/password
** certificate based authentication
** secret token 
* Do you use third party servers or do you host the servers yourself?
* Do you use any third party services or communicate with any third parties from this application? 
4) Security Verification
* Will testing of the running application be possible?
* Will source code for their application be available?
Whiteboard: [pending secreview] → [pending secreview][needs info]
sweeping bugs and found this stale one, are we still looking to do this?
Flags: needinfo?(zandr)
Whiteboard: [pending secreview][needs info] → [pending secreview]
At this point, no, we are not looking at Akamai any longer.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(zandr)
Resolution: --- → WONTFIX
Whiteboard: [pending secreview]
You need to log in before you can comment on or make changes to this bug.