Security/Meetings/SecurityAssurance/2014-03-25
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, MTV 217 Star Trek
- Phone (US/Intl): 650 903 0800 x92 Conf: 95217#
- Phone (Toronto): 416 848 3114 x92 Conf: 95217#
- Phone (US): 800 707 2533 (pin 369) Conf: 95217#
Contents |
Agenda
(feel free to add things you would like to discuss)
- [joes] Improving this meeting
- No agenda, no meeting?
- +1
- Relevant topics only
- Get rid of the meeting, but schedule one-time meetings (with relevant people) if we have things to talk about
- Make this meeting less frequent
- Volunteer, or be volunteered :)
- keep it and get better involvement from attendees
- No agenda, no meeting?
- [joes] Upcoming Security work week
- No agenda items, no work week.
- Action Item: Agenda items due to your manager by Friday, March 28
- Send feedback to your manager regardless of how you feel --yvan
- [yvan] WebAppSec (5 mins)
- Weekly Sites & Services security meeting - 9:00 GMT-8 Thursdays. Will be on wiki
- Secure Coding Guidelines & Basic Security Requirements
- Strategy - global tracking bugs
- Distill tests for each issue (work has been mostly completed)
- Provide single ongoing tracking bug for these issues
- [michal] NSM efforts, C&C detection (5 mins)
- [ulfr] gpg/pgp use in Mozilla
- https://www.yammer.com/mozilla.com/#/Threads/show?threadId=378336939
- gpg key signing "party" at 1400 PDT in ulfr's vidyo room
- There's a mana page that describes most of it https://mana.mozilla.org/wiki/display/SYSADMIN/GnuPG
- [curtis] communications
- blog
- post all the things!
- 'if you write it, he will post it'
- [curtis] stats (deferred to next week)
- what stats do we think are important to talk about (for each team)
- what stats do we think are important to report up the chain?
- why specifically "up the chain" rather than publicly, or to the relevant development team? < because we need to communicate internally to mgmt before we go public with info; not mgmt, internally. no reason to withold data from staff
Silent Updates
(feel free to add things you would like people to read)
- [joes] IT is starting a small pilot of Duo Security MFA solution. We would like some testers in Security Assurance to help test enrollment, especially non-US residents since mobile phones are used for enrollment. Please see joes or kang if you wish to help test. Long term goal is to rollout MFA to Mozilla and get rid of LDAP expiration.
- what sites/services will be using Duo for when rolled out?