Security/Meetings/SecurityAssurance/2013-05-21

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

  • Next team meetup - in planning - Week Sept 16 - Paris
  • Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdHU3a2lJRV8xckZXclZJdkNlN3dUYVE&usp=sharing
  • Metrics
  • Two Factor Auth Google Drive
    • Your second factor can be a phone (SMS)
    • can we get one of those token key things? (where do we get one) (YubiKey?)
  • [mcoates] Map of bug filers to category (employment status, whether they focus on security)
    • Only Google Drive users who have enabled TFA will be allowed to access this spreadsheet
      • [gkw] Do we access this via the shared folder?
      • [mcoates] no - it will be a new folder
  • [Jesse] Do we need (or have we done) a security reviews for productivity software popular among Mozilla employees, especially when they have cloud sync features? (Things, Wunderlist, Evernote, Google Keep, Astrid (which just got bought by Yahoo))
    • Things stores data in Google App Engine (reversed it a while ago :)
    • [mcoates] These tools aren't on the list of approved cloud stores for Mozilla data
    • [mcoates] So it's best if you don't use Things sync with confidential info
    • [joes] Most of these tools don't have individual-user-level encryption
  • [gkw] Networking (in SCL3?) broke when I updated my Linux machine.
  • [st3fan] Quick Minion Update
    • dogfooding beginning with two internal websites (support, input.mozilla.org - staging sites)
  • [pt] XSS & innerHTML (answered below, doesnt need vocalising)

http://mxr.mozilla.org/gaia/source/apps/sms/js/fixed_header.js#57 v1.0.1 has 142 instances of "innerHTML" (though most assign from literals) Most apps use basic sanitisation routines like regexp: http://mxr.mozilla.org/gaia/search?find=%2Fapps%2F&string=escapeHTML

  • [gkw] Anyone else going to Black Hat in Las Vegas?
    • incl. Codenomicon, Defcon....
    • Early bird registration for BH ends on 31 May 2013
    • Tell Abillings this week if you're going!

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

Planned Blog Posts

Security Review Status (curtisk)

  • Completed in Q1 2013: 66

https://security-review-statistics.vcap.mozillalabs.com/weekly

Operations Security Update (Joe Stevensen)

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Firefox Mobile

Firefox OS

Firefox Core

  • Eyes on Jetpack / protocol handling bugs: bug 779197 and 820213, please

MarketPlace

  • [cr] trying to solve the multi marketplace threat with reputation, will suggest a Meta Marketplace ("marketplace for marketplaces") concept.

Web Apps

Services

Operation Security