• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• pauljt is running the meeting !
• [gkw via abillings] Please book your flights to Las Vegas for Black Hat / <your favourite Vegas conf> - see https://intranet.mozilla.org/ConferencesSchedule/Blackhat2013
• Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdHU3a2lJRV8xckZXclZJdkNlN3dUYVE&usp=sharing
• Metrics
  • https://security-review-statistics.vcap.mozillalabs.com/ (not yet working - server issues :-(
  • https://people.mozilla.com/~sarentz/p/dashboard
• npm / node security (mgoodwin)
  • package management policy: https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=29328624
  • http://www.cs.ox.ac.uk/blogs/sss/2013/04/02/why-isnt-there-any-nodejs-malware/
• [Jesse] Servo team is figuring out their task and process architecture. I pointed out a few things about the web and its security model, which got pcwalton to redraw most of the diagram, but really they should engage bz and smaug and imelven.
  • I'm interested but I wouldn't want to do this by myself (mgoodwin), so is freddy :>
• [psiinon] new(!) #websectools channel !!!!!!!!!!!!111one

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

• psiinon: June 20 OWASP EU tour, Amsterdam - ZAP
• freddyb: June 21: Hack in Paris, June 19-21: "Origin Policy Enforcement in Modern Browsers"
• mgoodwin: June 26 OWASP EU Tour, Dublin - Your Browser as a Security Tool
• psiinon & freddy: August 20-23 AppSec EU - ZAP (see above)
• psiinon: November 18-21 AppSec USA - ZAP
• stefan: "Web Security 101" & "Firefox OS" at OHM213, July31 - August 4
• yvan: RMLL July 7-11, Talking about Security

Planned Blog Posts

• https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c

[psiinon] Speeding up ZAP scans: https://mana.mozilla.org/wiki/display/~sbennetts@mozilla.com/Draft+blog+post%3A+How+to+speed+up+OWASP+ZAP+scans < feedback appreciated :)

Security Review Status (curtisk)

• Completed in Q1 2013: 66
  • this quarter 52 (stats below are stuck run queries to get updated numbers)

https://security-review-statistics.vcap.mozillalabs.com/weekly

Operations Security Update (Joe Stevensen)

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Firefox Mobile

Firefox OS

• [cr] T-Labs can help with TrustZone which will enable strong TPM-style encryption features on every SoC that it is ported to. Big decisions here! Whom to involve?
• [cr] We might be able to get strong crypto key material from the SIM card. Ideas for what to use it for besides feeding a soft TrustCore for key derivation?

Firefox Core

MarketPlace

• [cr] dbialer likes our meta-Marketplace idea. Let's talk more to Marketplace.
• [cr] ongoing talks to figure out options to integrate Codemarx into Firefox Market review process, possibly for developers, too. Thoughts on Codemarx?

Web Apps

Services

Operation Security