Security/Meetings/2011-10-12

From MozillaWiki
Jump to: navigation, search

Derp

  • 15-20 minutes spent on calendaring & videoconferencing fails

NonFeature

  • criteria & metrics (lucas mail)
  • stuff that is not a "sec bug" is also part of this (sg:want)
  • Lucas has discussed with Blizzard
  • Top-down prioritization of security vs performance etc is not necessary (?)
  • We should have a process that works even if individual bugs aren't given precise priorities.

Should we use modified DREAD? [curtis]

  • DREAD
  • Curtis's proposal: https://wiki.mozilla.org/Security/DraftDREAD
  • Estimation of “Reproducibility” / “Reliability”, “Exploitability”, and “Discoverability” is difficult and probably not worth the time. Security researchers will prove you wrong.
  • That leaves “Damage” and “AffectedUsers”, which we already use. (We focus on Damage, but allow AffectedUsers to drop down a level.)

Security bug analysis [curtis]

  • Goal: explain to the entire project why it's important to fix security bugs quickly, even if they were reported privately
  • Looking for responses to email titled "Security bug analysis"
  • non-parallelizable resources (devs, reviewers)
    • bugs per developer
  • time for 0-day fix > working on getting this data
  • review gap ?

Evangelizing security topics [curtis]

  • Blog posts, brownbags, MDN articles
  • https://developer.mozilla.org/en/Security could use work
  • working on more evangelism / discussion
  • Who is willing to talk about what?
    • [sid] privacy and you™ (privacy design + reviews + documentation in your design/dev cycle)
    • [imelven] willing to work on MDN docs, would welcome ideas on topics
  • Brainstorming
    • Securing your Firefox extensions

Security reviews

  • triage later today (go through feature list and decide what needs review)

PTO / Travel

  • Curtis PTO Oct 14
    • Curtis in MV Oct 17-22
  • Sid PTO Oct 13-14
  • dveditz PTO Oct 24-28
  • Jesse's birthday Oct 13 Happy Birthday! ♫HBTY, HBTY, HBDJesse, HBTY♫
  • Ian at Toronto office all next week for Mobile Work week - will also meet with Stefan on Pancake and Ehsan on mobile private browsing, will probably skip most reviews/meetings except for interviews and Mobile Safe Browsing backend review

"Big Changes" to address the CA problem

  • what is our appetite for making changes?
  • who do we need to buy-in to be able to move forward?
  • Should we just add an extension point for now and let researchers experiment? Or should we champion one possible solution?
  • Some of the people who could help implement the extension point would prefer us choosing a solution, but we haven't chosen a solution, so we're not doing anything? :(
  • Perspectives, Convergence, Langley(?)
  • bsterne will set up another meeting(?)(public?) to discuss this in more detail. Let's invite Blizzard.

Feature push / product

  • Anyone who wants to help drive a sec/privacy feature: see Sid
  • Product is interested in picking some up, but needs better specs/designs in feature pages
  • Sid can help you see that a feature gets picked up and shipped, if you're willing to spend time pushing it.
    • What does it mean to "push" it? How much work is that committing to?
      • depends on the feature (some are simple, some need spec work)

Integer overflow (Jesse)

Soft-blocking vulnerable plug-ins

Response to Stephan Neuhaus (EU Metrics Research)