Security/Meetings/SecurityAssurance/2013-04-09
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Contents |
Agenda
- Goals
- Q1 goals page is now locked
- You've all been discussing Q2 goals with at least your manager, right?
- Q2 goals page will exist later this week?
- Metrics
- [gkw] Working on a blogpost on orangfuzz (mobile fuzzer for Firefox OS)
- [psiinon] + [mgoodwin] Browser / sec tool integration
https://code.google.com/p/zap-extensions/downloads/detail?name=zest-alpha-2.zap https://builder.addons.mozilla.org/package/181831/latest/
- Active mixed content is now blocked in Firefox nightly 23
- Metabug: https://bugzilla.mozilla.org/show_bug.cgi?id=815321
- Turned on: https://bugzilla.mozilla.org/show_bug.cgi?id=834836
- Tanvi's blog post: https://etherpad.mozilla.org/bxR6mHSdWj
- https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_23#Non-SSL_contents_on_SSL_pages_are_blocked_by_default
- Many of our sites are broken when active mixed content is blocked
- Metabug: https://bugzilla.mozilla.org/show_bug.cgi?id=843977
- Is this because we never tested our sites with IE and Chrome??
- How we keep up with Firefox changes (such as mixed content)
- http://www.mozilla.org/en-US/firefox/20.0/releasenotes/buglist.html
- https://www.mozilla.org/en-US/firefox/22.0a2/auroranotes/
- http://www.squarefree.com/burningedge/ (maintained by Jesse) (this page++)
- http://www.rumblingedge.com/ for Thunderbird! (maintained by gkw)
- Raymond and Dan sometimes attend the security engineering team meeting (Thur 3p PT)
- Upcoming work week
https://mana.mozilla.org/wiki/display/SECURITY/AppSec+Web+Bug+Reviews
Upcoming Speaking Engagements
(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )
- MGoodwin 10th @ Sheffild Hallam (will update talks pages)
- Yvan, BSidesWinnipeg (November)
- St3fan, Submitted a talk about Firefox OS to OHM2013 https://ohm2013.org
- St3fan, Will submit a talk about Minion to OHM2013
- psiinon Threadfix + ZAP integration April 24 Webinar
- psiinon, submitted ZAP talks to OWASP AppSec EU and USA
Planned Blog Posts
- https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c
- gkw working on a post
Security Review Status (curtisk)
- Completed in Q1 2013: 66
https://security-review-statistics.vcap.mozillalabs.com/weekly « 5 <- i'm fixing this today (think the This Quarter number is still wrong)
Operations Security Update (Joe Stevensen)
- Continued AWS growth
- Firewall change monitoring
- NSM Deployment update
- Monthly metrics (vulns, incidents, infrastructure changes)
- SecReviews completed
- LDAP
- Release Engineering
- Marketplace Payments
- Stackato
Stuff we will work on Q2:
- MFA
- SecReview of Email, Storage, Virtualization
- Mozilla CA
- Endpoint security
- Security Policy Compliance
Project Updates
Please add your name to the update so we know who to follow up with
Firefox Desktop
Mixed content blocking coming in Firefox 23 https://developer.mozilla.org/en-US/docs/Site_Compatibility_for_Firefox_23#Non-SSL_contents_on_SSL_pages_are_blocked_by_default
Firefox Mobile
Firefox OS
- Sandboxing now a big priority in the project - Secure development guidelines: https://docs.google.com/a/mozilla.com/document/d/1DLs1jhTMxN5fh2PSb_O7FDaSadjjAW-MlK1xCBRWGmM/edit#heading=h.cf5se5o21xjw - CR going to be working with marketplace to help reviewers find these (^^) things - Finalising goals for Q2 - CSP 1.0 is landing, will impact Firefox OS certified apps. Working with gaia team to solve issues.
Firefox Core
[cdiehl] TURN for WebRTC landed on inbound (pref'ed off) - starting with official fuzz tests.