Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
Phone (Toronto): 416 848 3114 x92 Conf: 95316#
Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

US Holiday this Thursday (11/22) and Friday (11/23).
(curtisk/jperrier) MDN - Security engagement
(curtisk) Security Champions (sec-champs@mozilla.com), next meeting on 4-Dec
(curtisk) ready for review stats - request of mcoates, individual items, team items ??
Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q4+Goals
- Quarter basically ends Dec 15; even if you're not on vacation, everyone else will be. So we have 3 weeks left.
Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
[dveditz] “Bugzilla crash bugs and security risk” thread on security-group
- Concern: with thousands[?] of open crash bugs, and hundreds with testcases, some may be exploitable (as in triggerable by web page and memory safety bugs).
- “It’s easier to wade through Bugzilla than write your own fuzzer”
  - Or crash-stats
- [decoder] What can be automated?
  - We have something like !exploitable running on Socorro now, so we could e.g. auto-check the security box on the "File a bug based on this report".
    - [Jesse] Could we go through all crash bugs, crawl the crash-stats URLs mentioned in those bugs, and identify bugs that link to exploitable-looking crashes?
- [Jesse] Furthermore, if you encounter a crash, it's hard to tell if it's already reported with all the non-reproducable bug reports
- [Jesse] I did this for a bit: https://developer.mozilla.org/en-US/docs/Triaging_crash_bugs
- [Jesse] Idea: designate a month during which identifying a security bug from the crash bug backlog gets you a bounty.
  - Create a #crashtriage IRC channel for coordinating this effort.
    - unless we expect a lot of traffic sticking with #security would be better
      - or #bugday
  - Promote on @mozsec, sec blog, dev-security, QA's bug-day list, etc.
  - Additionally, give t-shirts to everyone who helps triage and larger prizes to MVPs (e.g. people who triage a lot of bugs, or automate things).
[ygjb] Blocklist update for Java 7u7 (CTP for 17 + softblock in older versions)
[decoder] I now have a script watching Metasploit commits for "Java", "Firefox"
[psiinon] We monitoring http://www.xssed.com/ ? Can sign up here: http://www.xssed.com/earlywarning
[ygjb] Minion Overview
- [st3fan] Minion Demo
[psiinon] https://gear.mozilla.org/ has soft launched [and has mixed content:( ]
[psiinon] Secteam's OWASP info on the wiki: https://wiki.mozilla.org/Security#OWASP_Projects_and_chapters
[ygjb] Mentorship program
- Ideas for mentorship
- Need more mentors!

Possible MDN Articles

[decoder] MDN article on coverage in progress: https://developer.mozilla.org/en-US/docs/Measuring_Code_Coverage_on_Firefox
- Upcoming blog post will be referring to this
[psiinon] https://developer.mozilla.org/en-US/docs/Security/Firefox_Security_Guidelines
Web Security Articles
- Content Considerations
  - Link these from https://developer.mozilla.org/en-US/docs/Security :) Yes, this is the best way so that we can keep track of the articles and organise them when the number increase.
  - MDN vs http://www.webplatform.org/ for the stuff that isn't Firefox-focused?We always can move articles to webplatform.org in the future if it is a success (which we hope).
- Topics to Document
  - Cross Site Scripting (Stored, Reflected, DOM)
  - CSRF
  - XFO / UI Redress
  - STS
  - Data Validation
  - JSON Security Considerations
Secure Python Coding Practices (st3fan) (we already have a bunch but it is all over the place)
- What's wrong with wikimo for this? I think that's where most of this content is.
  - Nothing wrong with that :-) I would like to contribute anyway :-)
  - Which content? devmo is where docs for web devs live. wikimo is focused on things for mozilla contributors.
    - Playdoh documentation was mentioned as an example and that is for Mozilla contributors primarily so doesn't feel right on MDN.
    - https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
  - Don't hesitate to contact me (teoli on IRC, on #devmo, jperrier@mozilla.com) or sheppy if any questions: we are not on the same continent so we cover fairly Europe and American work time (a little bit less Asian work time though) Tag articles for review.

Upcoming Speaking Engagements

(Who) : Date: Name of Event : Talk Title: Link
Yvan Boily : Nov 21 : Vancouver Python User Group : Introduction to OWASP ZAP (Vancouver) : http://www.meetup.com/vanpyz/
Yvan Boily : Dec 11 : OWASP Seattle : Security At Scale (Seattle)
Yvan Boily : Dec 15 : BSidesSeattle : Security Testing with ZAP (Seattle)

Security Review Status (curtisk)

Completed in Q4 2012:
Number of Reviews Completed (so far this quarter):33 (26)
- https://bugzilla.mozilla.org/buglist.cgi?list_id=4619884;resolution=FIXED;chfieldto=2012-12-31;query_format=advanced;chfield=resolution;chfieldfrom=2012-09-30;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
Number of Outstanding Reviews: 140 (146)
- https://bugzil.la/comp%3A%22security%20assurance%3A%20review%20request%22
Number of Reviews Ready For Review:
- query
Number of reviews without risk rating: 31 (31)
- https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20-sw%3A%22%5Bneeds%20info%5D%22%20-sw%3A%22%5Bscore%3A%22
Number of reviews without deadline set: 130 (136)
- https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_due_date;query_format=advanced;resolution=---;type0-0-0=isempty;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
Find Yours:
- MIssing Risk Rating (Yours)
- Without Deadlin (Yours)

Operations Security Update (Joe Stevensen)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

webapi tests are being written
install permissions testing is almsot done
- need to fix some eventhandling in b2g

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

Progress made on addons question - apparent willingless to have a (default off) 'allow untrusted addons' pref

Security/Meetings/SecurityAssurance/2012-11-20

Contents

Agenda

Possible MDN Articles

Upcoming Speaking Engagements

Security Review Status (curtisk)

Operations Security Update (Joe Stevensen)

Project Updates

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

Sync (Simon Bennetts)

Services (Simon Bennetts & Adam Muntner)

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

Web Developer Tools (Mark Goodwin)

Networking (Christoph Diehl)

Media / Graphics (Christoph Diehl) =

Peach (Christoph Diehl / Raymond Forbes) =

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)

Navigation menu

Search