• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• [curtisk] Changing our use of etherpad
  • Use a new etherpad for each meeting, or switch to Google Docs
  • See https://wiki.mozilla.org/WeeklyUpdates/2014-01-27#IT
  • [Jesse] +1, it's annoying that history is broken on the etherpad we use for these meetings
  • [Jesse] I wonder if the new version (etherpad lite) is better
• (Action Item) Curtis - get a new pad for each weekly meeting
• [curtisk] Sprint 6
  • need more bugs than just the ones from mgoodwin
  • [pauljt] adding fxos ones today (but this is seperate)
• [pauljt] How do I get a new project?
  • file something against bmo - or maybe in service-now? :p
    • thanks - any objections to a sec-reviews-fxos component
  • https://bugzilla.mozilla.org/enter_bug.cgi?product=bugzilla.mozilla.org&component=Administration for new keywords and components
• [freddbyb] scaling security reviews (this probably applies for all sec teams) <= blog posts? (instead of big brown bag). 1 per tool. easier to do. lasts in time.
  • [pauljt] my 2 cents = triage, then fewer reviews in more detail
  • + also promote tools/knowlege as part of the secreview process
  • (ie don't just tell people about the bugs, go through how you found them)
  • Capture this knowledge: https://wiki.mozilla.org/Security/B2G/FirefoxOSCommsHardening and https://developer.mozilla.org/en-US/Apps/Security_guidelines
  • Self Certification instead of waiting for one of us to have time (needs a process, tools and buckets)
    • Which tools?
    • Who will write up descriptions for these tools?
    • What to document in a bug?

(Action Item) Curtis to organize a discussion

• mgoodwin
• psiinon

[Yvan] - not able to meet early meetings

• Security Reports

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

• Feb 5 psiinon - Oracle webcast (Using ZAP for automated testing) (no tweet)
• Feb 8 psiinon - Manchester StudentHack (Mozilla, security, OWASP, open source) (sold out?) http://www.studenthack.com/
• Feb 5 arroway - JDuchess France (defensive programming
• Feb 6 arroway - Paris 8 (Mozilla stuff)

Planned Blog Posts

• [new] https://mana.mozilla.org/wiki/display/SECURITY/Security+Blog+Posts
• [old]https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c

Security Review Status (curtisk)

• Completed in Q1:64 / Q2: 72 / Q3:55

https://security-review-statistics.vcap.mozillalabs.com/weekly

Metrics

• • https://security-review-statistics.vcap.mozillalabs.com/
  • https://people.mozilla.com/~sarentz/p/dashboard

Operations Security Update (Joe Stevensen)

• Lots of work on Firefox Account infrastructure review, involves entire OpSec team + CloudOps (+appsec?)

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Firefox Mobile

Firefox OS

Firefox Core

MarketPlace

Web Apps

Services

Operation Security