Security/Meetings/SecurityAssurance/2013-11-12
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Contents |
Agenda
- Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AthhYg2CqN25dGRDX0ZqTkJ4dTJGWFVyb2RmNTNDbmc
- Metrics
- [curtisk] marketplace wants to do a ctf (andym)
- [curtis] Security Reports
- [pauljt] Scrum process - what is happening here
- current Sprint: http://scrumbu.gs/t/security-assurance/sa-sprint-2/
- Overview: https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHJlUVJ5TGcyYWZTbVlMOHBKU3Y4Z2c&usp=drive_web#gid=1
- Stand up https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdFNtV0JNX091UWhKRTIxbTRKQl9FeHc&usp=drive_web#gid=1
- process docs are being written
- how do we get involved
- how are we assigning etc etc
- [yvan] contributor messages
- [curtisk] please review https://wiki.mozilla.org/Security/Process/Secreview_Bug_Process
- I need as much feedback as you can give me
- [ulfr] Map of OpSec policies and review workflow https://mana.mozilla.org/wiki/display/~jvehent@mozilla.com/Security+Assurance+Map
Upcoming Speaking Engagements
(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )
- Yvan - University of Manitoba
- Yvan - University of Winnipeg
- Yvan - BSidesWinnipeg
- Psiinon - AppSec USA or something Next week :)
Planned Blog Posts
- freshly published: https://blog.mozilla.org/security/2013/11/12/navigating-tls/
- [new] https://mana.mozilla.org/wiki/display/SECURITY/Security+Blog+Posts
- [old]https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c
- mgoodwin / Pomax - something about webmaker
- planned: benefits of x-frame-options [freddyb]
- based on whitepaper released last week https://frederik-braun.com/xfo-clickjacking.pdf
- and please the fact that missing the header doesn't mean the site is vulnerable. Context matters (noted)
Security Review Status (curtisk)
- Completed in Q1:64 / Q2: 72 / Q3:55
https://security-review-statistics.vcap.mozillalabs.com/weekly (Q4:21)
Operations Security Update (Joe Stevensen)
- Monitor for threats outlined in https://pastebin.mozilla.org/3590094
- jeff would like to work with someone from appsec to make sure we are monitoring/seeing likely attacks *before* we are attacked.
Project Updates
Please add your name to the update so we know who to follow up with