Attendees

• Michael Coates
• Mike Hanson
• Bill Walker
• James Straus
• Ragavan
• Chris Lee
• Ian Melven

Agenda

Flow of Security

• Who is driving security model creation - gap?
  • Chris Jones
  • Jim Straus
• Concerns from Mike Hanson that this isn't effective enough
• Need desktop, android, across whole webapi
• Mike believes security engineering / Lucas to lead the model
• Need to create
  • What is the security bar/standard that we need across the board
• B2G has additional security considerations on top of the WebAPI security concerns
• Possible Work Flow
  • Creation of Security Model - Security Engineering
  • Development - Development Teams
  • Threat Modeling, Verification - Security Assurance

Proposal from Mike Hansen

Each Friday:

• Work down the WebAPI list contained in the spreadsheet, from top to bottom
  • https://docs.google.com/spreadsheet/ccc?key=0AiBigu584YY7dHczYl9OM2lBVjZCUU9TdkdvazRYZFE#gid=0
• For each item, fill out Lucas' template and get signoff from product that the use cases are understood by security
  • Link for Lucas' template?
  • Provide security requirements for building (Security Engineering & All)
  • Identify security concerns that need additional consideration/research (Security Engineering & All)
• Continue until 2:00 and we run out of time. Moving quickly through the use cases would be wise.

Then:

• Security team (security assurance) has a week to fill out threats, severity, mitigations, authorization model, and describe implementation requirements
• Product team to signoff on that, and implementation to commence the next Friday. Sooner is okay, of course.

And we can cycle that, weekly?