Security/Meetings/SecurityAssurance/2013-08-13

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

  • I [freddy] was asked to talk briefly about the b2g-email app review, can do that.
   * starttls bug https://bugzilla.mozilla.org/show_bug.cgi?id=784816
   
  • [Yvan] Team Meetup Update

https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdDAyd0tvaUxmV3BkdV81aDA5UXlINkE#gid=11

Agenda
  • Security Blog changes
    • Trying to blog once a week
    • Security Champions invited to contribute!
  • Sec Notification Process (draft) https://etherpad.mozilla.org/security-notification-process
    • please give feedback
    • wkg asked about how we find sites and APIs for cloning bugs when we have a large number of sites
  • (curtisk) Quarterly Goal for Security Champions - Roles & Responsibilities
    • What we expect from champions
    • How champions can make security decisions
    • How champions can engage the security team
    • planned structure: as a workshop for summit to be presented
  • Where are we with BREACH?
  • need to find all the sites where we might be vulnerable
  • https://bugzilla.mozilla.org/show_bug.cgi?id=903627
    • bug is stalled a bit in IT, needs input from SA mgmt, wkg to need-info whom he thinks needs to be involved
    • https://github.com/mozilla/minion-breach-plugin (checks HTTP compression, but I think we can be more aggressive and can perform actual attack with an average success; it's a tricky attack....)

Open questions

  • Sumo and bounties
    • possible blog post on using stage to look for bounties
  • Adding Persona to bounty program (francios)
    • email dveditz, chofmann, abillings, rforbes & myself to start discussion

</end Sec-Champs>

* https://people.mozilla.com/~sarentz/talks/ohm2013/firefoxos.pdf
* https://people.mozilla.com/~sarentz/talks/ohm2013/websecurity101.pdf

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

Planned Blog Posts

  • https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c --> moving to mana
    • plan to post 1 per week (should average to ~2 posts per year, per team member)
      • include posts from sec-eng and guest posts from sec-champs or frequent contributors / bounty reporters
    • Next steps:
      • everyone on the team _must_ submit a topic to blog on
      • First post:: next week by Yeuk on Minion plugins
      • Setup shared zimbra calendar (similiar to rotation) and assign writers to date slots (this should show up on your personal calendar and give you a reminder that your date is coming)

Security Review Status (curtisk)

  • Completed in Q1:64 / Q2: 72

https://security-review-statistics.vcap.mozillalabs.com/weekly (24)