Canmove, confirm, emeritus
2,776
edits
Changes
no edit summary
{{SecAssuranceMeetingInfo}}
{{TOC right}}
=Agenda=
* [curtisk] Cleanup of stale bugs in the "security assurance: review requests" component
** https://bugzilla.mozilla.org/buglist.cgi?quicksearch=comp%3A%22security%20assurance%3A%20review%20request%22;list_id=5125091
** 35 bugs not edited within the last quarter
*** https://bugzilla.mozilla.org/buglist.cgi?type1-0-0=lessthan;list_id=5071289;field0-0-0=status_whiteboard;status_whiteboard_type=allwordssubstr;chfieldto=Now;chfield=%5BBug%20creation%5D;status_whiteboard=pending;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=READY;bug_status=ASSIGNED;bug_status=REOPENED;value1-0-0=2012-10-01;type0-0-0=notsubstring;value0-0-0=%5Bneeds%20info;component=Security%20Assurance%3A%20Review%20Request;field1-0-0=delta_ts
** a regular "whine" is being setup for every monday for bugs untouched longer than 14 days (currently at 62 bugs)
*** https://bugzilla.mozilla.org/buglist.cgi?type1-0-0=notsubstring;list_id=5125661;type3-0-0=notsubstring;field0-0-0=status_whiteboard;field2-0-0=delta_ts;type0-0-0=substring;value0-0-0=pending;value3-0-0=triage;value2-0-0=2w;field3-0-0=status_whiteboard;type2-0-0=lessthan;query_format=advanced;value1-0-0=needinfo;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=READY;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;field1-0-0=flagtypes.name/ <- this url no worky
* [curtisk] Champion contacts
** https://wiki.mozilla.org/Security/Champions#Security_Champions_2
** Notes from today's Champions meeting: https://etherpad.mozilla.org/champions
* [gkw] Security Review Pass for Minimal Risk Web Apps (from mcoates)
** How are we deciding what is low risk?
*** [mcoates] I proposed criteria in an email. Still TBD, but roughly: No PII, no authentication, not critical for Firefox or B2G, etc. Will move to wiki when less rough.
* Not using Mana (Confluence wiki) for goals
** Problems with Mana: hard to edit (modal wysiwyg), simultaneous editing is fail, bad email diffs
** [decoder] We could use work.com (previously called Rypple). This could make our yearly review process easier ("what did i do last year?"), if we actually use Rypple again.
*** Especially if we track all our week+ work items, not just our goals, which would have some other advantages.
** [Jesse] I'd prefer a Google Docs Document containing a table. Or a Google Spreadsheet, if mcoates can show me how to put links inside a cell.
*** How about Google Docs for goals, with links to Rypple for task breakdown?
** [anonymous troll] Use VIM to edit something in a git repo
* [mcoates] Embedding: our list of who is embedded where is not accurate
** https://wiki.mozilla.org/Security/TeamEmbedding
** Please check the items you're listed for, and the items you feel like you're embedded for.
* [Jesse] How do the "embedding" and "champion" programs interact?
* Silisec Thursday evening (Sunnyvale) http://silisec.org/meetup/2012/December/ (for socializing with other security professionals)
* BayThreat this Friday/Saturday
* Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q4+Goals
* Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
http://www.squarefree.com/bugzilla/bug-list-munger.html
==Upcoming Speaking Engagements ==
* (Who) : Date: Name of Event : Talk Title: Link
* Yvan Boily : Dec 11 : OWASP Seattle : Security At Scale (Seattle)
* Yvan Boily : Dec 15 : BSidesSeattle : Security Testing with ZAP (Seattle)
=Security Review Status (curtisk)=
Chart View: https://people.mozilla.com/~ckoenig/stats.png
* Completed in Q4 2012:
* Number of Reviews Completed (so far this quarter): 37(33)
** https://bugzilla.mozilla.org/buglist.cgi?list_id=4619884;resolution=FIXED;chfieldto=2012-12-31;query_format=advanced;chfield=resolution;chfieldfrom=2012-09-30;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
* Number of Outstanding Reviews: 140(141)
**https://bugzil.la/comp%3A%22security%20assurance%3A%20review%20request%22
* Number of Reviews Ready For Review: 77 (87)
** https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20%2Bsw%3A%22pending%22%20-flag%3A%22needinfo%22
* Number of reviews without risk rating: 61(31)
**https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20-sw%3A%22%5Bneeds%20info%5D%22%20-sw%3A%22%5Bscore%3A%22
* Number of reviews without deadline set: 130(131)
**https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_due_date;query_format=advanced;resolution=---;type0-0-0=isempty;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
*Find Yours:
** [https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20-sw%3A%22%5Bneeds%20info%5D%22%20-sw%3A%22%5Bscore%3A%22%20owner:%25user%25 MIssing Risk Rating (Yours)]
** [https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_due_date;query_format=advanced;resolution=---;type0-0-0=isempty;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org;field1-0-0=assigned_to;type1-0-0=equals;value1-0-0=%25user%25 Without Deadlin (Yours)]
=Operations Security Update (Joe Stevensen)=
=Project Updates =
Please don't leave blank. Add "No Update" if nothing has changed
==Silent updates (rforbes / dveditz)==
== B2G (Paul Theriault, David Chan) ==
* more progress on api testing
==Thunderbird (Adam Muntner) ==
==Rust (Jesse Ruderman) ==
==Mobile (Mark Goodwin) ==
==Sync (Simon Bennetts) ==
No update
==Services (Simon Bennetts & Adam Muntner) ==
No update
==Jetpack, Add-on SDK, Add-on Builder (Dan Veditz) ==
==JS (Christian Holler) ==
* No update
==DOM, XPConnect (Jesse Ruderman) ==
==Layout, Style (Jesse Ruderman) ==
==Automation Tools (Gary Kwong) ==
* No update
==Web Developer Tools (Mark Goodwin) ==
== Networking (Christoph Diehl) ==
* Waiting for https://bugzilla.mozilla.org/show_bug.cgi?id=792175
== Media / Graphics (Christoph Diehl) ===
* No update
== Peach (Christoph Diehl / Raymond Forbes) ===
* Add OGG Skeleton 3/4 support
== Market (Raymond Forbes) ==
==Firefox APIs (Raymond Forbes) ==
==Payment Flow (Raymond Forbes) ==
==Dynamic API Security Model (Raymond Forbes) ==
==WebRT (Raymond Forbes) ==
==BrowserID ==
== Identity Services (David Chan) ==
==Addons.M.O (Raymond Forbes) ==
==Bugzilla.M.O (Mark Goodwin & Eric Parker) ==
==Mozillians (Raymond Forbes) ==
==MDN (Raymond Forbes) ==
==SUMO (Kitsune) () ==
== AddressSanitizer (Christian Holler) ==
* mozilla-central builds fixed
