• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• (curtisk) MDN Articles
  • review https://wiki.mozilla.org/Security/Meetings/SecurityAssurance/2012-11-20#Possible_MDN_Articles
  • cdiehl : thread sanitizer : https://developer.mozilla.org/en-US/docs/Thread_Sanitizer
  • decoder: https://developer.mozilla.org/en-US/docs/Measuring_Code_Coverage_on_Firefox
  • [psiinon] will write something on XSS on MDN - prob basic intro to reflected, stored, DOM plus preventing them
  • Who : idea : url ??
• Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q4+Goals
• Champions Needed: Firefox OS, Firefox Desktop, Firefox Mobile
• Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
• Work Week Dates
  • Stefan on paternity leave march 7 >:-) (in theory... I was to be on pat leave sept 10, landed august 23 ;)
  • End of Feb? Bad
  • March? CanSecWest - 6-8, Curtis promised elsewhere 15-17
• Use After Free Solutions - Talking with Sid & Sec Eng too
  • Instrument compiler? Warnings on try?
  • RelEng ASAN builds running tests and reporting on TBPL
  • http://glandium.org/blog/?p=2848
  • [decoder] What is the goal here? ASan already instruments the code *and* intercepts heap allocation. The hard thing is to actually trigger the use-after-free, not to detect it when it happens. ++
  • [decoder] Our bug bounty participants are finding lots of bugs with ASan+fuzzing, so we should do more of that (?)
  • [decoder] Patterns in the code like raw pointers that should be nsCOMPtr, sketchy kungFuDeathGrips
  • Static analysis?
  • [Jesse] I've been filing sec-want bugs for eliminiating classes of bugs, such as https://bugzilla.mozilla.org/show_bug.cgi?id=810718 (adding dynamic checks to pldhash)
    • [Jesse] Is there a team dedicated to fixing C++ architectural issues, including ones that we identify? (ask lucas adamski?)
• [decoder] Blog post for review: https://security.etherpad.mozilla.org/SecurityBlogSecurityCoverage
  • Corresponding MDN article see above
• [psiinon] OWASP Leeds event - burp suite next version
• [dchan] - relocating, Jan timeframe

Upcoming Speaking Engagements

• (Who) : Date: Name of Event : Talk Title: Link
• Yvan Boily : Dec 11 : OWASP Seattle : Security At Scale (Seattle)
• Yvan Boily : Dec 15 : BSidesSeattle : Security Testing with ZAP (Seattle)

Security Review Status (curtisk)

• TO-DO: Google Doc Spreadsheet showing week over week numbers
• Completed in Q4 2012:
• Number of Reviews Completed (so far this quarter):33 (33)
  • https://bugzilla.mozilla.org/buglist.cgi?list_id=4619884;resolution=FIXED;chfieldto=2012-12-31;query_format=advanced;chfield=resolution;chfieldfrom=2012-09-30;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
• Number of Outstanding Reviews: 141 (140)
  • https://bugzil.la/comp%3A%22security%20assurance%3A%20review%20request%22
• Number of Reviews Ready For Review: 87
  • https://bugzilla.mozilla.org/buglist.cgi?status_whiteboard_type=allwordssubstr;query_format=advanced;list_id=5058936;field0-0-0=status_whiteboard;status_whiteboard=pending;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=READY;bug_status=ASSIGNED;bug_status=REOPENED;type0-0-0=notsubstring;value0-0-0=[needs%20info];component=Security%20Assurance%3A%20Review%20Request
• Number of reviews without risk rating: 38 (31)
  • https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20-sw%3A%22%5Bneeds%20info%5D%22%20-sw%3A%22%5Bscore%3A%22
• Number of reviews without deadline set: 131 (130)
  • https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_due_date;query_format=advanced;resolution=---;type0-0-0=isempty;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
• Find Yours:
  • MIssing Risk Rating (Yours)
  • Without Deadlin (Yours)

Operations Security Update (Joe Stevensen)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

• final stretch for webapi testing
  • paul is finishing up the api tests

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

• PB to land in FX20 - testing help would be appreciated

Sync (Simon Bennetts)

• No update

Services (Simon Bennetts & Adam Muntner)

• No update

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

• Still fuzzing IonMonkey threaded compilation and working with JS devs to get better diagnostics to track down the bugs easier

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

Web Developer Tools (Mark Goodwin)

• Developer tools window (was briefly) in m-c; it's worth playing with.

Networking (Christoph Diehl)

• Added RTP/RTCP fuzzing capabilities into 'mediaconduit' for WebRTC

Media / Graphics (Christoph Diehl) =

• No update

Peach (Christoph Diehl / Raymond Forbes) =

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

• No update

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)

• No update