• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• List of Bugzilla email addresses on GitHub; spam
  • [Jesse] https://bugzilla.mozilla.org/show_bug.cgi?id=218917 - Allow Bugzilla login_name != email_address, so address isn't displayed
• [curtisk] Thanks everyone for helping us keep our steady rate of ~60 secreviews per quarter (details below). Let's keep it up.
• Security Reports
• [freddyb] Progress on "Killing Inline Scripts and Stylsheets" in chrome pages
  • https://wiki.mozilla.org/Security/Inline_Scripts_and_Styles
  • needed to apply CSP to Firefox internal webpages (ex. about:home, about:newtab), you just need to know HTML and CSS
  • these are good bugs to try and get community members involved in fixing them and involved in security
  • listed on bugsahoy.com
  • already we have around 5 volunteers helping with this effort
    • [Jesse] Awesome. Let's tweet or blog thanking them.
    • [Curtis] Freddy? can you get with me to draft up a tweet for @MozSec?
    • [Jesse] "We're gradually applying CSP to Firefox's internal web pages. [link to wiki]"
    • [Jesse] or "To protect against XSS attacks on Firefox's internal web pages, we are applying CSP... "
    • [Jesse] "Thanks to volunteers helping with the internal-CSP effort: [twitter usernames & names of those without twitter accounts]"
      • We can email them to ask if they're on Twitter.
• [decoder] Question about applying CSP to individual chrome pages vs all chrome [... ?]

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

• Jan 23 psiinon - KPMG - OWASP overview (no tweet)
• Jan 27 freddyb talks at "recurity labs security symposium" in beriln (no tweet)
• Feb 5 psiinon - Oracle webcast (Using ZAP for automated testing) ( no tweet)
• Feb 8 psiinon Manchester StudentHack (Mozilla, security, OWASP, open source) (open not sold out) http://www.studenthack.com/

Planned Blog Posts

• [new] https://mana.mozilla.org/wiki/display/SECURITY/Security+Blog+Posts
• [old]https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c

Security Review Status (curtisk)

• Completed in Q1:64 / Q2: 72 / Q3:55 / Q4:64

https://security-review-statistics.vcap.mozillalabs.com/weekly

• Q1:2014 :: 7

Metrics

• • https://security-review-statistics.vcap.mozillalabs.com/
  • https://people.mozilla.com/~sarentz/p/dashboard

Operations Security Update (Joe Stevensen)

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Firefox Mobile

Firefox OS

Firefox Core

MarketPlace

Web Apps

Services

Operation Security