Security/Meetings/SecurityAssurance/2013-04-09

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

 https://code.google.com/p/zap-extensions/downloads/detail?name=zest-alpha-2.zap
 https://builder.addons.mozilla.org/package/181831/latest/

https://mana.mozilla.org/wiki/display/SECURITY/AppSec+Web+Bug+Reviews

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

  • MGoodwin 10th @ Sheffild Hallam (will update talks pages)
  • Yvan, BSidesWinnipeg (November)
  • St3fan, Submitted a talk about Firefox OS to OHM2013 https://ohm2013.org
  • St3fan, Will submit a talk about Minion to OHM2013
  • psiinon Threadfix + ZAP integration April 24 Webinar
  • psiinon, submitted ZAP talks to OWASP AppSec EU and USA

Planned Blog Posts

Security Review Status (curtisk)

  • Completed in Q1 2013: 66

https://security-review-statistics.vcap.mozillalabs.com/weekly « 5 <- i'm fixing this today (think the This Quarter number is still wrong)

Operations Security Update (Joe Stevensen)

  • Continued AWS growth
  • Firewall change monitoring
  • NSM Deployment update
  • Monthly metrics (vulns, incidents, infrastructure changes)
  • SecReviews completed
    • LDAP
    • Release Engineering
    • Marketplace Payments
    • Stackato

Stuff we will work on Q2:

  • MFA
  • SecReview of Email, Storage, Virtualization
  • Mozilla CA
  • Endpoint security
  • Security Policy Compliance

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Mixed content blocking coming in Firefox 23 https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_23#Non-SSL_contents_on_SSL_pages_are_blocked_by_default

Firefox Mobile

Firefox OS

- Sandboxing now a big priority in the project - Secure development guidelines: https://docs.google.com/a/mozilla.com/document/d/1DLs1jhTMxN5fh2PSb_O7FDaSadjjAW-MlK1xCBRWGmM/edit#heading=h.cf5se5o21xjw - CR going to be working with marketplace to help reviewers find these (^^) things - Finalising goals for Q2 - CSP 1.0 is landing, will impact Firefox OS certified apps. Working with gaia team to solve issues.

Firefox Core

[cdiehl] TURN for WebRTC landed on inbound (pref'ed off) - starting with official fuzz tests.

MarketPlace

Web Apps

Services

Operation Security