• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AthhYg2CqN25dGRDX0ZqTkJ4dTJGWFVyb2RmNTNDbmc
• Metrics
  • https://security-review-statistics.vcap.mozillalabs.com/
  • https://people.mozilla.com/~sarentz/p/dashboard
• [mcoates] Michael Coates is leaving Friday, after 4 years at Mozilla, for a startup
• [mcoates] The "security assurance" team will split up, with subteams integrating into product integration.
  • [jcook] This should help us get a seat at the table in each product group, at the point where key decisions are made
  • [jcook] A risk is that security people will be divided, and we may miss things. We want to make consistent recommendations across products. To address this, there will be a "security assurance council".
    • [yvan] The same people will be handling incoming messages as handle them today, and routing them clearly. This includes triage of security review requests.
    • [yvan] The council will be central in tracking risk across the organization, and in deciding whether to take key risks.
  • [jcook] Mozilla's transparency and flexibility means we can continue to collaborate :)
  • [mcoates] Some of you work with multiple product teams; discuss with your manager(?) which group you want to report to (based on your impact and career growth goals)

In particular,

• Paul's group will report to the Firefox OS team.
• Dan's group will report to Bob Moss (VP Platform Engineering), but also help Johnath's group (VP Firefox desktop)
• Yvan's group will report to Services & Cloud under Mark Mayo
• Joe's group will report to Infra under Sylvie
• [jcook] Please speak your minds to your new product leaders and product teams :)
• [yvan] Let's send our security reviews to security-group for peer review (to reduce risk of missing things after the split)
  • [jesse] Please use public lists, e.g. dev-platform cross-posted to dev-security.
• [simon bennetts] Will we still be able to invest in things like Minion and ZAP that aren't especially product-focused or even Mozilla-focused?
  • [yvan] Yes. Automation should not be a hard sell to our new group.
• Will this meeting continue?
  • [yvan] For the next few weeks, yes, to ensure the transition is smooth and make sure nothing gets forgotten.
  • [yvan] In the long term, this meeting might morph into something less frequent and more public
  • [jcook] If you feel siloed, feel free to call a new one-time or recurring meeting.
• When will this be announced to the rest of the org?
  • [mcoates] I'll send an email to all tomorrow.
• Will we be going to meetings, team meetup weeks, etc with our new teams?
  • Probably. We'll find out (e.g. as dan's team meets with bob moss) over the next few days.
• Avoiding technical issues when Michael leaves
  • [jesse] http://people.mozilla.org/~mcoates/ will probably disappear. Does anything link into it?
    • generally IT can keep people.m.o pages on demand. in this case im not sure if the page has anything that warrant this tho
  • [jesse] Will google spreadsheets disappear?
    • [ck] we should be able to migrate these to someone elses docs, but if the the org structure changes we may not need it
      • some of them will not be required, but we need to retain them until we sort out continuity for all of the existing work.
  • [yvan] Also permissions in Mana

agenda items below were not discussed and will be left for next week or smaller meetings or something

• Single points of failure < abillings should have backup for dveditz on more stuff
• [curtisk] SecChamps meeting from 2013.10.22 (jim chen, ricardo, dbolter, wkg)
• django upgrades still rolling along
• BREACH work on load balancers https://bugzilla.mozilla.org/show_bug.cgi?id=903627 seems to have stalled
• python 2.6 EOL is Oct 2013 https://bugzilla.mozilla.org/show_bug.cgi?id=903627 need to look at upgrade 2.7
• [psiinon] https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project
• [Jesse] Bug bounties for Rust (compiler & std lib)
• Security Reports

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

• Curtis : SkyDogCon: 25-Oct

   Jeff Open Memory Forensics Workshop Nov 4-6th

Planned Blog Posts

for review: https://docs.google.com/document/d/1x1uL27f_FQTy3LoFMwHNIcLDG55sAIURCr1CxVgwxLc/edit

• [new] https://mana.mozilla.org/wiki/display/SECURITY/Security+Blog+Posts
• [old]https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c

Security Review Status (curtisk)

• Completed in Q1:64 / Q2: 72 / Q3:55

https://security-review-statistics.vcap.mozillalabs.com/weekly < Q4:5