• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• [yvan] reorg stuff
  • only 2 min each to talk in this meeting
  • Unless you've heard otherwise from your manager, your goals are still your goals
• Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AthhYg2CqN25dGRDX0ZqTkJ4dTJGWFVyb2RmNTNDbmc
• Metrics
  • https://security-review-statistics.vcap.mozillalabs.com/
  • https://people.mozilla.com/~sarentz/p/dashboard

[ulfr] Risk review on web projects https://mana.mozilla.org/wiki/display/SECURITY/Business+Level+Risk+Assessment https://wiki.mozilla.org/Security/Reviews/Nucleus

• Single points of failure < abillings should have backup for dveditz on more stuff
  • [action] Identify backups for each lead (Joe, Dan, Yvan, Paul)
• [curtisk] SecChamps meeting from 2013.10.22 (jim chen, ricardo, dbolter, wkg)
• django upgrades still rolling along
• BREACH work on load balancers https://bugzilla.mozilla.org/show_bug.cgi?id=903627 seems to have stalled
• python 2.6 EOL is Oct 2013 https://bugzilla.mozilla.org/show_bug.cgi?id=903627 need to look at upgrade 2.7
  • [action] Find impacted systemd (tinfoil)
• [psiinon] https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project
• * please add wordpress to the list :D r+
• [Jesse] Bug bounties for Rust (compiler & std lib)
  • [action] Send to bug bounty team & rust team to initiate discussion (yvan)
• [kang | jeff] update on IR policy https://mana.mozilla.org/wiki/display/SECURITY/Incident+Response+Policy

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

• psiinon, mgoodwin Oct 31 OWASP Limerick Day https://www.owasp.org/index.php/OWASP_Limerick_Day_2013
• psiinon Nov 20-21 OWASP AppSec USA New York
• st3fan Oct-25 Web App Security 101 @ Toronto JUG (already done, just wanted to mention it :-)
• Jeff Open Memory Forensics Workshop Nov 4-6th
• Paul - Sydney Mobile Developer Group (maybe tonight, maybe january)
• Yvan - BSidesWinnipeg (Nov 16/17)

Conference Planning

• CanSecWest ( March 12-14, 2014)
• Blackhat/Defcon ( Aug 2-7, 2014)

Planned Blog Posts

can someone review my blog post? https://docs.google.com/document/d/1x1uL27f_FQTy3LoFMwHNIcLDG55sAIURCr1CxVgwxLc/edit

• [new] https://mana.mozilla.org/wiki/display/SECURITY/Security+Blog+Posts
• [old]https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c

Security Review Status (curtisk)

• Completed in Q1:64 / Q2: 72 / Q3:55

https://security-review-statistics.vcap.mozillalabs.com/weekly < Q4:9

• • breakout stale bugs by team

Operations Security Update (Joe Stevensen)

• Security Reports

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Firefox Mobile

Firefox OS

Firefox Core

MarketPlace

Web Apps

Services

Operation Security