Security/Meetings/Automation/2013-12-03
From MozillaWiki
< Security | Meetings | Automation
Status Updates
- freddyb:
- escape-artist confirmed my findings for the b2g-email app
- jeff (absent)
- psiinon
- ZAP plumbing to run ZEST script by just clicking them
- Privacy scan enabling
- ZAP homepage
- mgoodwin
- event hooks in PnH probe - it's now possible to 'listen in' on events that come through from the probe. At the moment, you don't really see much and you can't do anything but it's useful building work.
- More work on Ringleader impl of probe functionality - I'm hoping by the end of the quarter to do postmessage and event interception in chrome without probe injection.
- ulfr
- MIG
- DB storage for MIG finalized. (demo)
- Architecture review with kang produced wishlist of 11 features, 4 of which need to be implemented before staging deploy.
- SSL/TLS
- Did I show tlsnames yet? https://github.com/jvehent/tlsnames
- Automated cipherscan for mozilla domains (demo)
- Want to get the diff between to runs of the cipherscan, so we can catch domains that change their TLS configuration.
- a long discussion about identifying SSL/TLS cipher, version, keysize per host, and integrating that into Minion
- ulfr built cipherscan for that, on github: https://github.com/jvehent/cipherscan
- MIG
- stefan - investigating how to add full URLs to Minion (vs just hostname) (got a bunch of requests)
- dchan
- finished up EV checking https://github.com/dchan/minion-ev-plugin
- other cert related tests need to be added (ssllabs API?)
- OpSec & WebOps are definitely interested in expiration checks, key sizes, etc...
- other cert related tests need to be added (ssllabs API?)
- finished up EV checking https://github.com/dchan/minion-ev-plugin
- yvan
- Planning to implement differencing scan features in December
- Current state of zest.py / zest.js?
- tinfoil
- Playing around in spare time with creating a vuln database
- So far DB contains: CVE Data, Exploits, Advisories, Vuln tests run against our servers, all our IPs (internal), Hosts (corelate multiple ips from same host to one host entry), and a little more
- So far allows more flexible reporting than any product we have
- Plan on adding GUI by holiday break
- Planning on adding more tables for more configuration related data such as nmap, ssl, load-balancer/nat translations, dns, etc
- Playing around in spare time with creating a vuln database
