Security/Meetings/SecurityAssurance/2013-01-08
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- [mcoates] Freddy's back!
- Freddy (Frederik Braun) will be in SF this week, MV next week, and near Cologne, Germany afterwards.
- "I work on: making Mozilla's web applications more secure: security reviews, automation and the like"
- [mcoates] Goals - 2013 Q1 Goals
- Will be on google doc.
- Work with your manager this week
- Company goals are not yet locked down.
- Each of us should aim to have 4-5 goals: 3 supporting team quarterly goals; 1 supporting a year-long project; 1 supporting personal growth (?)
- [mcoates] Metrics
- Bugs Filed (use sec keyword), Reviews Completed (by assigned to)
- Only bugs with sec-* keywords are counted in this project.
- [jesse] I think you should also count unrated bugs in core-security.
- But then if the bug becomes public, while still not having a sec-* rating, it won't be counted.
- [decoder] That's rare.
- Should we add a "sec-needs-rating" keyword that can also go on public bugs?
- [gkw] We currently mark the bug as conservatively as possible, e.g. sec-critical / high
- [rforbes] But this will inflate sec-critical bug numbers
- [gkw] We currently mark the bug as conservatively as possible, e.g. sec-critical / high
- But then if the bug becomes public, while still not having a sec-* rating, it won't be counted.
- [jesse] I think you should also count unrated bugs in core-security.
- [mcoates] Weekly meeting template
- Firefox Dekstop / Mobile, Firefox OS, Web Apps, Operations Sec
- [jesse, pauljt] How do we mark Review Request bugs if we (current employees) don't intend to work on them, but they're still possibly useful for volunteers to pick up? I'd prefer not to use WONTFIX.
- This question only applies to client features, since web sites don't go up until they're reviewed.
- [yvan] We could use the 'mentor' whiteboard tag
- http://www.joshmatthews.net/deck.js/mentor/
- [dchan] jdm's search page - http://www.joshmatthews.net/bugsahoy/?
- [jesse, curtis] We'll exclude bugs with 'sw:mentor' from the "Stale security reviews" query
- [yvan] Champions and other developers are possible assignees
- [curtis] Also note that "needinfo?" excludes bugs from the official "Stale security reviews" query
- https://etherpad.mozilla.org/stale
- [yvan] - Documenting the results of security reviews
- This gives us a chance to improve our , and is something to show when the world asks "why shouldn't this feature scare the crap out of me?"
- Examples
- link to what's needed?
Is this the blog post? https://blog.mozilla.org/security/2012/05/08/speeding-up-security-reviews/ yes
- [curtisk] communications for Jan
- [decoder] Planning to visit HITB Conference 2013 in April in Amsterdam. Will check with Lucas who is going (some SecEng people usually attend this). Freddyb might also be interested in going.
- CFP open
- [David Chan] B2G coming down to the line (15/1) help with updates & browser API review would be great
- [gkw] And also testing your Unagi device
- [raymond] I've been looking at bug bounty stats (especially bounties for our web sites), and will have recommendations
- [psiinon] Zest preso
- Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
Planned Blog Posts
- [decoder] https://security.etherpad.mozilla.org/SecurityBlogSecurityCoverage
- needs a publish date
Speaking Engagements
- (Who) : Date: Name of Event : Talk Title: Link
- OWASP Bay Area Meeting at Mozilla SF - Tues, Jan 8
- Simon Bennetts : Feb 2-3 : FOSDEM : Talking about ZAP :)
- Raymond Forbes : Feb 27 - March 2 : Nullcon
Security Review Status (curtisk)
- Completed in Q4 2012: 50
- Number of Reviews Completed (so far this quarter): 4
- Number of Outstanding Reviews: 129
- Number of Reviews Ready For Review: 67
- Number of reviews without risk rating:54
- Number of reviews without deadline set:117
- Find Yours:
Operations Security Update (Joe Stevensen)
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault, David Chan)
- Review status: https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0Ap-jgPe0UrMhdE9SMm5xNzBwTk13UHBCcUdQazNUQ1E#gid=0 - Project deadline still 15th Jan - High priority reviews outstanding
Thunderbird (Adam Muntner)
Rust (Jesse Ruderman)
Mobile (Mark Goodwin)
- No update (unless Stefan has one)
Sync (Simon Bennetts)
Services (Simon Bennetts & Adam Muntner)
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- Working on parallel jit-tests, to allow more tests in the test suite
DOM, XPConnect (Jesse Ruderman)
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
- No update
Web Developer Tools (Mark Goodwin)
- No update
Networking (Christoph Diehl)
- No update
Media / Graphics (Christoph Diehl) =
- gUM is not pref'ed on by default
Peach (Christoph Diehl / Raymond Forbes) =
- Working on FruitFarm