SecurityEngineering/MeetingNotes/03-21-13

From MozillaWiki
Jump to: navigation, search

Standing Agenda

  • Q1 Goals Recap (https://intranet.mozilla.org/2013Q1Goals#Security_Engineering)
  • Review roadmap priorities to ensure they accurately reflect active projects and Mozilla's priorities
  • Suggest additions or changes to roadmaps
  • Detailed discussion of features or outstanding issues as time permits
  • Additional Items
  • Upcoming events, OOO/travel, etc.

Last week: https://wiki.mozilla.org/SecurityEngineering/MeetingNotes/03-14-13

Agenda

  • Q2 Goals Brainstorm
  • Security AMA
  • gsoc

Goals Recap

  • [at risk] application reputation
  • [miss] PKIX by default - held up by review process and need to write tests, another approach being explored
  • [done] land mixed content UI v1
  • [done] getRandomValues - landed in Desktop, mobile, Firefox OS !
  • [on track] CSP evangelization - CSP 1.0 not turned on in Nightly due to B2G mochitest issues with inline styles, did talk at BSides to promote CSP use, still want to do OWASP cheat sheet when 1.0 lands, spoke to Yvan about a dogfooding project and if there's a Security Champion that would be interested, going to discuss with him further on Monday
  • [done] Analyze and publish results of Q4's security/privacy settings study
  • [on track] Design cookie survey for test pilot (mmc)

Q2 Goals Brainstorm

  • Something around fast profile switching
    • mock-up creation
    • design some sort of user research study <-- execution would be the following quarter
    • pilot blushproof study (to identify potentially embarrassing topics, and how people navigate between them)
    • Profile in the Cloud -- don't screw it up
    • Identifying use cases for fast profile switching
    • how many people use different browsers, different devices, for what reasons?
  • Fix N {CSP, Mixed Content, iframe sandbox, ...} bugs
  • SSL key limits - technical enforcement of key size limits (fix this bug, advocacy, testing/telemetry) -- Caution: May have some dependencies that are hard to land
  • Establish a series or run a one-time training session for developers on some topic like XSS, CSRF, SSL, etc. Would include best practices and features like HSTS that can help.
  • Establish a series of "describe feature X" blog posts or MDN pages that help explain the things we've done and are working on. (What the feature does, and how it improves security or privacy.) Contextualize in terms of trends in web security, compare to approaches used by other browsers.
  • Overhaul MDN documentation of CSP
  • Improve searchability for "David Keeler" (SEO)
    • start new lifestyle
  • Write MDN documentation for mixed content blocker

Security AMA

https://etherpad.mozilla.org/security-ama

Google Summer of Code

Retrieved from "https://wiki.mozilla.org/index.php?title=SecurityEngineering/MeetingNotes/03-21-13&oldid=642073"