• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• (curtisk) Web Bug Verification Rotation (just web?)
  • What is it?
    • Verify any incoming reports of web vulnerabilities (change bug from unconfirmed to new)
    • Provide additional detail on how to mitigate the reported issue
    • curtisk will do basic triage of incoming items, then assign to "on call" resource, once verified you can assign back to "nobody" for websites team to take further action
  • Who:
    • rforbes
    • mgoodwin
    • curtisk
    • sbennetts
    • dchan
    • Adamm
    • pault
    • sarentz (st3fan)
    • yboily
  • Starts: Mon, 26-Nov, lasts for one week each
  • You can change weeks with someone
  • Use sec-bounty flag to nominate bugs for bounty -- if the requestor asks
  • curtisk will share a zimbra calendar to show who has what week, you all will have rights to it to modify
• (curtisk) Communications plan - please fill in your alias below for areas your willing to contribute to
  • Bloggers: decoder, mcoates, rforbes, kang, yboily,psiinon,pauljt, curtisk, cdiehl, mgoodwin
  • Brown-Baggers: mcoates, rforbes, kang, yboily, curtisk, gkw
  • MDN articles: decoder, dchan, (al, will edit),pauljt,cdiehl,psiinon, cdiehl, mgoodwin
• [gkw] MozCamp Asia this weekend
  • pauljt and gkw from Security Assurance attending.
  • Paul and Larissa Co presenting:
    • https://wiki.mozilla.org/MozCampAsia2012/Schedule/desktopandmobile/Security_and_Privacy_in_Asia
    • https://wiki.mozilla.org/MozCampAsia2012/Security_in_Firefox_OS
  • slides in progress (similar to my ruxocn preso): http://slides.creativemisuse.com/MozCamp/
• [st3fan] PyConCanada
• Feedback from Security Engineering Brownbag
  • Test out click to play - about:config plugins.click_to_play
• [mcoates] Project Kick Off Form Update
• mfuller's last week - if you need anything before I leave, let me know
  • Lunch in MV on Thurs - meet in lobby at noon
  • preventive measures: bribe teacher, ball & chain, lock in room & throw away key, hire him
  • The plastic is working so far ;) << then you really need a pocket knife
• [yboily] Mentorship Update
  • four mentors in Mozilla, two OWASP mentors!
  • five mentees, 3 looking to start in January, 2 pending approval from their schools
• [psiinon] OWASP German day
  • https://www.owasp.org/index.php/German_OWASP_Day_2012/Programm#Downloads
• [Paul] FirefoxOS dom xss bash continues, help please if you have some time and want to do some code review: https://etherpad.mozilla.org/domxssbash
• [mcoates] Schedule - US Thanksgiving next Thurs/Fri
• Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q4+Goals
• Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
• Upcoming Speaking Engagements
  • (Who) : Date: Name of Event : Talk Title: Link
  • Yvan Boily : Nov 16 : Vancouver Python User Group : Introduction to OWASP ZAP (Vancouver)
  • Yvan Boily : Dec 11 : OWASP Seattle : Security At Scale (Seattle)
  • Yvan Boily : Dec 15 : BSidesSeattle : Security Testing with ZAP (Seattle)

Security Review Status (curtisk)

• Completed in Q4 2012:
• Number of Reviews Completed (so far this quarter): 26 (21)
  • https://bugzilla.mozilla.org/buglist.cgi?list_id=4619884;resolution=FIXED;chfieldto=2012-12-31;query_format=advanced;chfield=resolution;chfieldfrom=2012-09-30;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
• Number of Outstanding Reviews: 146 (144)
  • https://bugzil.la/comp%3A%22security%20assurance%3A%20review%20request%22
• Number of reviews without risk rating 31 (30)
  • https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20-sw%3A%22%5Bneeds%20info%5D%22%20-sw%3A%22%5Bscore%3A%22
• Number of reviews without deadline set 136(134)
  • https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_due_date;query_format=advanced;resolution=---;type0-0-0=isempty;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
• Find Yours:
  • https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20-sw%3A%22%5Bneeds%20info%5D%22%20-sw%3A%22%5Bscore%3A%22%20owner:%25user%25 MIssing Risk Rating (Yours)]
  • https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_due_date;query_format=advanced;resolution=---;type0-0-0=isempty;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org;field1-0-0=assigned_to;type1-0-0=equals;value1-0-0=%25user%25 Without Deadlin (Yours)]

Operations Security Update (Joe Stevensen)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

• almost done with webapi permissions testing

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

Sync (Simon Bennetts)

• No update

Services (Simon Bennetts & Adam Muntner)

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

• No update

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

• No update

Web Developer Tools (Mark Goodwin)

Networking (Christoph Diehl)

• No update

Graphics (Christoph Diehl) =

• B2G monitors are working again for Emulator and Device

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

• gombot/skycrane

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)