Security/Meetings/SecurityAssurance/2013-06-18
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- Vendor Review proposal
- need a way to gauge vendor reviews, what should / must be done
- used the current list of questions as the guide
- this is a Q2 Goal for Curtisk - please provide any feedback by EoD 21-June
- G Doc
- Documentation expectations for security reviews of web apps & services
- Higher-risk projects have higher documentation requirements
- Risk Ratings for Security Reviews
- https://wiki.mozilla.org/Security/RiskRatings#What_Scores_Mean
- https://wiki.mozilla.org/Security/ReviewProcess
- OpSec review part coming soon
- Black Hat & DEF CON & CodenomiCON
- Milk & Cookies party
- Sec Engineering team meetup this week.
- MV (The Bridge) Mon-Wed
- SF Thur
- Summit location stuff - no update
- Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdHU3a2lJRV8xckZXclZJdkNlN3dUYVE&usp=sharing
- Metrics
- https://security-review-statistics.vcap.mozillalabs.com/
- https://people.mozilla.com/~sarentz/p/dashboard
- you can check your stale bugs here ^
- 23 Kickoff bugs blocked by Security Reviews https://people.mozilla.com/~sarentz/p/dashboard/#!/kickoff
Demos
Minion Status Update + Quick Demo [st3fan]
Upcoming Speaking Engagements
(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )
- psiinon: June 20 OWASP EU tour, Amsterdam - ZAP
- freddyb: June 21: Hack in Paris, June 19-21: "Origin Policy Enforcement in Modern Browsers"
- mgoodwin: June 26 OWASP EU Tour, Dublin - Your Browser as a Security Tool
- psiinon & freddy: August 20-23 AppSec EU - ZAP (see above)
- psiinon: November 18-21 AppSec USA - ZAP
- stefan: "Web Security 101" & "Firefox OS" at OHM213, July31 - August 4
- yvan: RMLL July 7-11, Talking about Security
Planned Blog Posts
Security Review Status (curtisk)
- Completed in Q1 2013: 66
https://security-review-statistics.vcap.mozillalabs.com/weekly (currently at 60, on track to meet or exceed Q1)
Operations Security Update (Joe Stevensen)
Project Updates
Please add your name to the update so we know who to follow up with
Firefox Desktop
Firefox Mobile
Firefox OS
- [cr] From the Making The Same Mistakes Over And Over Again Departmend: iOS screwed up password creation for tethering http://translate.google.com/translate?hl=en&sl=de&u=http://www.heise.de/newsticker/meldung/iOS-Sicherheitsmaengel-im-Persoenlichen-Hotspot-1891356.html&prev=/search%3Fq%3Dhttp://www.heise.de/newsticker/meldung/iOS-Sicherheitsmaengel-im-Persoenlichen-Hotspot-1891356.html%26client%3Dfirefox-nightly%26hs%3DOl4%26rls%3Dorg.mozilla:en-US:unofficial
- We implemented the same password generator and actually found that it was a good balance between actual risk and user convenience :-)
- (Seriously?) How would you figure that balance? WPA cracking can be done offline on a couple of sniffed packets by a GPU, so a complexity of 2^20 is not sufficient. Now the point-and-click cracking tools are there to prove it.