Security/Meetings/SecurityAssurance/2012-11-20

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

  • US Holiday this Thursday (11/22) and Friday (11/23).
  • (curtisk/jperrier) MDN - Security engagement
  • (curtisk) Security Champions (sec-champs@mozilla.com), next meeting on 4-Dec
  • (curtisk) ready for review stats - request of mcoates, individual items, team items ??
  • Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q4+Goals
    • Quarter basically ends Dec 15; even if you're not on vacation, everyone else will be. So we have 3 weeks left.
  • Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
  • [dveditz] “Bugzilla crash bugs and security risk” thread on security-group
    • Concern: with thousands[?] of open crash bugs, and hundreds with testcases, some may be exploitable (as in triggerable by web page and memory safety bugs).
    • “It’s easier to wade through Bugzilla than write your own fuzzer”
      • Or crash-stats
    • [decoder] What can be automated?
      • We have something like !exploitable running on Socorro now, so we could e.g. auto-check the security box on the "File a bug based on this report".
        • [Jesse] Could we go through all crash bugs, crawl the crash-stats URLs mentioned in those bugs, and identify bugs that link to exploitable-looking crashes?
    • [Jesse] Furthermore, if you encounter a crash, it's hard to tell if it's already reported with all the non-reproducable bug reports
    • [Jesse] I did this for a bit: https://developer.mozilla.org/en-US/docs/Triaging_crash_bugs
    • [Jesse] Idea: designate a month during which identifying a security bug from the crash bug backlog gets you a bounty.
      • Create a #crashtriage IRC channel for coordinating this effort.
        • unless we expect a lot of traffic sticking with #security would be better
          • or #bugday
      • Promote on @mozsec, sec blog, dev-security, QA's bug-day list, etc.
      • Additionally, give t-shirts to everyone who helps triage and larger prizes to MVPs (e.g. people who triage a lot of bugs, or automate things).
  • [ygjb] Blocklist update for Java 7u7 (CTP for 17 + softblock in older versions)
  • [decoder] I now have a script watching Metasploit commits for "Java", "Firefox"
  • [psiinon] We monitoring http://www.xssed.com/ ? Can sign up here: http://www.xssed.com/earlywarning
  • [ygjb] Minion Overview
    • [st3fan] Minion Demo
  • [psiinon] https://gear.mozilla.org/ has soft launched [and has mixed content:( ]
  • [psiinon] Secteam's OWASP info on the wiki: https://wiki.mozilla.org/Security#OWASP_Projects_and_chapters
  • [ygjb] Mentorship program
    • Ideas for mentorship
    • Need more mentors!

Possible MDN Articles

  • [decoder] MDN article on coverage in progress: https://developer.mozilla.org/en-US/docs/Measuring_Code_Coverage_on_Firefox
    • Upcoming blog post will be referring to this
  • [psiinon] https://developer.mozilla.org/en-US/docs/Security/Firefox_Security_Guidelines
  • Web Security Articles
    • Content Considerations
    • Topics to Document
      • Cross Site Scripting (Stored, Reflected, DOM)
      • CSRF
      • XFO / UI Redress
      • STS
      • Data Validation
      • JSON Security Considerations
  • Secure Python Coding Practices (st3fan) (we already have a bunch but it is all over the place)
    • What's wrong with wikimo for this? I think that's where most of this content is.
      • Nothing wrong with that :-) I would like to contribute anyway :-)
      • Which content? devmo is where docs for web devs live. wikimo is focused on things for mozilla contributors.
      • Don't hesitate to contact me (teoli on IRC, on #devmo, jperrier@mozilla.com) or sheppy if any questions: we are not on the same continent so we cover fairly Europe and American work time (a little bit less Asian work time though) Tag articles for review.

Upcoming Speaking Engagements

  • (Who) : Date: Name of Event : Talk Title: Link
  • Yvan Boily : Nov 21 : Vancouver Python User Group : Introduction to OWASP ZAP (Vancouver) : http://www.meetup.com/vanpyz/
  • Yvan Boily : Dec 11 : OWASP Seattle : Security At Scale (Seattle)
  • Yvan Boily : Dec 15 : BSidesSeattle : Security Testing with ZAP (Seattle)

Security Review Status (curtisk)

Operations Security Update (Joe Stevensen)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

  • webapi tests are being written
  • install permissions testing is almsot done
    • need to fix some eventhandling in b2g

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

  • Progress made on addons question - apparent willingless to have a (default off) 'allow untrusted addons' pref

Sync (Simon Bennetts)

No update

Services (Simon Bennetts & Adam Muntner)

No update

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

  • Testing threadsafe builds with ion parallel compilation enabled (bug 813559)

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

Web Developer Tools (Mark Goodwin)

  • Devtools window landing real soon now

Networking (Christoph Diehl)

  • No update

Media / Graphics (Christoph Diehl) =

  • No update

Peach (Christoph Diehl / Raymond Forbes) =

  • [cdiehl] Added basic support for DASH (Dynamic Adaptive Streaming over HTTP)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

  • No update

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)