Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
Phone (Toronto): 416 848 3114 x92 Conf: 95316#
Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

mcoates attending mozcamp latam
Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
Bug mentoring [Jesse]
- We should sign up to mentor more bugs.
- I only see 2 mentored security-related bugs, both mentored by people on other engineering teams.
- sg:want and public sg:low bugs are obvious candidates
- security developers (e.g. ian, tanvi, sid, camillo) (mostly on the security engineering team rather than security assurance team) -- it would be great if each of you could offer to mentor some bugs. so the bugs will appear on jdm's "bugs ahoy" dashboard, and so we can point volunteers who are interested in contributing to security efforts.
REMINDER: update required reading before security review meetings [curtisk]
- needed: dveditz, rforbes
- done: dchan
REMINDER: put estimate dates on your [secr] bugs (yvan)

Meeting Notes

Security Review Status (koenig)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed If we're missing a category, then please add it and update the template

Silent updates (rforbes / dveditz)

B2G (Paul Theriault)

API Use case discussion continuing, next step threats/abuse cases/permissions requirements
Lots of APIs that need triage/secreview (~60), need to discuss process to tackle these
About 10 new security reviews that need to start this week: https://docs.google.com/spreadsheet/ccc?key=0Akyz_Bqjgf5pdG9mZmtGNFNsbDVWR0x1NGNZUnFnRXc#gid=0
Weekly update https://wiki.mozilla.org/Security/B2G/April_16_2012
Current work status https://wiki.mozilla.org/Security/B2G/

Thunderbird (Dan Veditz)

Rust (Jesse Ruderman)

Mobile (David Chan)

Sync (David Chan & Yvan Boily)

Services (David Chan & Yvan Boily)

Social - Pancake (Mark Goodwin)

Internal pilot is progressing; seems generally resilient to web attacks; not too keen on what's going on behind the web hosts (encryption between hosts has been pushed to M3, as has authorization in user-api). Still, it's labsy and "at your own risk", so provided these are resolved prior to general release I guess it's OK ish.

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

[decoder] Semi-automated JS OOM Testing now in place and filing bugs
[decoder] IonMonkey bugs will now be filed security-sensitive if they are security related. Existing bugs will be triaged again. (IonMonkey is likely to land on mozilla-central in early June.)

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

[decoder] Meeting with jmaher (ateam) scheduled for Thursday to talk about automated Firefox builds with ASan
[gkw] at ateam work week in SF.

Web Developer Tools (Mark Goodwin)

Work on debugger is progressing. Tanvi and I have been working on feature pages for the ideas discussed at devtools week.

Networking ( Media / Codecs)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

App Sync (David Chan)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

- waiting on q2 goals (should be done this week)

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

No updates... but I notice some big changes have happened so I need to find out how that got past us..

Security/Meetings/SecurityAssurance/2012-04-17

Contents