Security/Meetings/SecurityAssurance/2013-01-08

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

  • [mcoates] Freddy's back!
    • Freddy (Frederik Braun) will be in SF this week, MV next week, and near Cologne, Germany afterwards.
    • "I work on: making Mozilla's web applications more secure: security reviews, automation and the like"
  • [mcoates] Goals - 2013 Q1 Goals
    • Will be on google doc.
    • Work with your manager this week
    • Company goals are not yet locked down.
    • Each of us should aim to have 4-5 goals: 3 supporting team quarterly goals; 1 supporting a year-long project; 1 supporting personal growth (?)
  • [mcoates] Metrics
    • Bugs Filed (use sec keyword), Reviews Completed (by assigned to)
    • Only bugs with sec-* keywords are counted in this project.
      • [jesse] I think you should also count unrated bugs in core-security.
        • But then if the bug becomes public, while still not having a sec-* rating, it won't be counted.
          • [decoder] That's rare.
          • Should we add a "sec-needs-rating" keyword that can also go on public bugs?
            • [gkw] We currently mark the bug as conservatively as possible, e.g. sec-critical / high
              • [rforbes] But this will inflate sec-critical bug numbers
  • [mcoates] Weekly meeting template
    • Firefox Dekstop / Mobile, Firefox OS, Web Apps, Operations Sec
  • [jesse, pauljt] How do we mark Review Request bugs if we (current employees) don't intend to work on them, but they're still possibly useful for volunteers to pick up? I'd prefer not to use WONTFIX.
  • [yvan] - Documenting the results of security reviews

Is this the blog post? https://blog.mozilla.org/security/2012/05/08/speeding-up-security-reviews/ yes

Planned Blog Posts

Speaking Engagements

  • (Who) : Date: Name of Event : Talk Title: Link
  • OWASP Bay Area Meeting at Mozilla SF - Tues, Jan 8
  • Simon Bennetts : Feb 2-3 : FOSDEM : Talking about ZAP :)
  • Raymond Forbes : Feb 27 - March 2 : Nullcon

Security Review Status (curtisk)

Operations Security Update (Joe Stevensen)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

- Review status: https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0Ap-jgPe0UrMhdE9SMm5xNzBwTk13UHBCcUdQazNUQ1E#gid=0 - Project deadline still 15th Jan - High priority reviews outstanding

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

  • No update (unless Stefan has one)

Sync (Simon Bennetts)

Services (Simon Bennetts & Adam Muntner)

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

  • Working on parallel jit-tests, to allow more tests in the test suite

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

  • No update

Web Developer Tools (Mark Goodwin)

  • No update

Networking (Christoph Diehl)

  • No update

Media / Graphics (Christoph Diehl) =

  • gUM is not pref'ed on by default

Peach (Christoph Diehl / Raymond Forbes) =

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)