Security/Meetings/SecurityAssurance/2013-08-13
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- I [freddy] was asked to talk briefly about the b2g-email app review, can do that.
* starttls bug https://bugzilla.mozilla.org/show_bug.cgi?id=784816
- [Yvan] Team Meetup Update
- Choose your entree of Beef or Fish (column c)
- https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdDAyd0tvaUxmV3BkdV81aDA5UXlINkE#gid=0
- [gkw] How much value of a prepaid SIM card can we expense while we're in Paris?
- We have to obtain this before we fly off to France (Le French Mobile, Orange recommended)
- [yvan] will take this on
- http://www.lefrenchmobile.com/en/data-bundles.html
- Yvan to investigate
- [curtisk] Sec-Champs (meeting was today)
Agenda
- Security Blog changes
- Trying to blog once a week
- Security Champions invited to contribute!
- Sec Notification Process (draft) https://etherpad.mozilla.org/security-notification-process
- please give feedback
- wkg asked about how we find sites and APIs for cloning bugs when we have a large number of sites
- (curtisk) Quarterly Goal for Security Champions - Roles & Responsibilities
- What we expect from champions
- How champions can make security decisions
- How champions can engage the security team
- planned structure: as a workshop for summit to be presented
- Where are we with BREACH?
- need to find all the sites where we might be vulnerable
- https://bugzilla.mozilla.org/show_bug.cgi?id=903627
- bug is stalled a bit in IT, needs input from SA mgmt, wkg to need-info whom he thinks needs to be involved
- https://github.com/mozilla/minion-breach-plugin (checks HTTP compression, but I think we can be more aggressive and can perform actual attack with an average success; it's a tricky attack....)
Open questions
- Sumo and bounties
- possible blog post on using stage to look for bounties
- Adding Persona to bounty program (francios)
- email dveditz, chofmann, abillings, rforbes & myself to start discussion
</end Sec-Champs>
- [decoder/dveditz] Financial aspects of ASan builds/tests (Important)
- [st3fan] OHM2013 Update - http://www.flickr.com/photos/19132706@N00/9416763300/
* https://people.mozilla.com/~sarentz/talks/ohm2013/firefoxos.pdf * https://people.mozilla.com/~sarentz/talks/ohm2013/websecurity101.pdf
- [curtisk] blog stuff below
- blog ideas in communication plans document on gdocs: https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c#gid=0
- Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdGVNXzUxZkJ0WHJPNG0wMDF3ODF6REE
- Metrics
- Security Reports
- [cr] Some discussions around the SMS-OTA issue, and how it affects Firefox OS, but it's basically in the hand of radio vendors and mobile operators, and thus largely beyond our control.
- Some background is here: https://srlabs.de/rooting-sim-cards/
- [cr] Some discussions around the SMS-OTA issue, and how it affects Firefox OS, but it's basically in the hand of radio vendors and mobile operators, and thus largely beyond our control.
- [PT] Conference Plan
- Team plan for attending conferences. Get the most out of our time
- Spreadsheet in team share - add any missing conferences
- Need to follow up on AppSecUSA
- [pt] campjs was GREAT https://plus.google.com/s/campjs
Upcoming Speaking Engagements
(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )
- Yeuk Hon's intern presentation on Friday, 3:30 PST (see https://air.mozilla.org/channels/interns-2013/)
- AppSec EU - Yvan, Simon, Freddy, Michael
Planned Blog Posts
- https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c --> moving to mana
- plan to post 1 per week (should average to ~2 posts per year, per team member)
- include posts from sec-eng and guest posts from sec-champs or frequent contributors / bounty reporters
- Next steps:
- everyone on the team _must_ submit a topic to blog on
- First post:: next week by Yeuk on Minion plugins
- Setup shared zimbra calendar (similiar to rotation) and assign writers to date slots (this should show up on your personal calendar and give you a reminder that your date is coming)
- plan to post 1 per week (should average to ~2 posts per year, per team member)
Security Review Status (curtisk)
- Completed in Q1:64 / Q2: 72
https://security-review-statistics.vcap.mozillalabs.com/weekly (24)