Security/Meetings/SecurityAssurance/2012-10-09
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- Q4 Goals - will be posted today
- Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q4+Goals has been created but is currently a copy of the Q3 goals
- mcoates will copy from a secret google docs page into mana later today. so we can't really discuss this yet
- Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
- Yvan - Should we expect to plan a detailed internal or 3rd party review of the phone, including an analysis of drivers, etc.
- [gkw] MozCamp Asia 2012
- [jesse] keelerd's draft blog post about click-to-play plugins in Firefox 17 (beta) and 18 (aurora)
- [dchan] PTO next monday
- [abillings] PTO next week
- [curtisk] PTO This Thu
- [mgoodwin] educating developers.
- Blog post on HSTS wanted
- Could refer to the new OWASP HSTS video -- http://www.youtube.com/watch?v=zEV3HOuM_Vw
- We're about to start shipping with some pre-pinned HSTS sites (based on Chrome's list, but restricted to sites with long HSTS TTLs) -- https://bugzilla.mozilla.org/show_bug.cgi?id=760307
- SSL for mozilla.org
- ([psiinon] http://docs.webplatform.org/ - adding security stuff
- What's the general advice for "It's already on MDN, should it be copied or moved?"
- Licensing?
- Web Security Lab Slides
- [mcoates] What do you all use for presentations?
- Everyone uses something different. Export from Apple Keynote or LibreOffice to PDF; Jesse uses S5; ...
Security Review Status (koenig)
- Completed in Q3 2012: 56
- Number of Reviews Completed (so far this quarter):7
- Number of Outstanding Reviews: 138(139)
- Number of reviews without risk rating 18 (23)
- Number of reviews without deadline set 129 (97)
Operations Security Update (Joe Stevensen)
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault, David Chan)
- mochitests are still broken
- b2g update review next Monday
Thunderbird (Adam Muntner)
Rust (Jesse Ruderman)
Rust 0.4 will be released this week!
Mobile (Mark Goodwin)
- Need to sort out secreviews for:
- Safe browsing
- Per-tab private browsing
- Need to look at proposals for integrating fennec with global Android search
Sync (Simon Bennetts)
Services (Simon Bennetts & Adam Muntner)
Social - Pancake (Mark Goodwin)
- N/A
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- No update
DOM, XPConnect (Jesse Ruderman)
- Nice mix of improvements to the DOM fuzzer last week.
- Allow using core files with the DOM fuzzer.
- Improve reporting of internal errors in the DOM fuzzer.
- Improvements to JS-reflection-based fuzzing: update startingPoints; improve lockpickFunction
- Improve DOM CSS fuzzing.
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
- First batch of 400 ARM boards coming in for continuous integration testing according to ateam
- Next batch of 400 by approximately early next year
Web Developer Tools (Mark Goodwin)
- Currently reviewing the new HTML markup panel
- Batch #2 of my CSP message stuff has landed :D
- Remote debugging is now cooked
- You can now play with a remote Web console
Networking (Christoph Diehl)
Graphics (Christoph Diehl) =
Networking ( Media / Codecs)
Market (Raymond Forbes)
Firefox APIs (Raymond Forbes)
Payment Flow (Raymond Forbes)
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID
Identity Services (David Chan)
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
- No update
Mozillians (Raymond Forbes)
MDN (Raymond Forbes)
SUMO (Kitsune) ()
AddressSanitizer (Christian Holler)
- Now doing daily ASan try push with tests enabled, automated with scanning for new failures