canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776
edits
Security/Meetings/SecurityAssurance/2013-08-13: Difference between revisions
Security/Meetings/SecurityAssurance/2013-08-13 (view source)
Revision as of 02:10, 14 August 2013
, 14 August 2013no edit summary
(Created page with "{{SecAssuranceMeetingInfo}} {{TOC right}}") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{SecAssuranceMeetingInfo}} | {{SecAssuranceMeetingInfo}} | ||
{{TOC right}} | {{TOC right}} | ||
=Agenda= | |||
* I [freddy] was asked to talk briefly about the b2g-email app review, can do that. | |||
* starttls bug https://bugzilla.mozilla.org/show_bug.cgi?id=784816 | |||
* [Yvan] Team Meetup Update | |||
https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdDAyd0tvaUxmV3BkdV81aDA5UXlINkE#gid=11 | |||
** Choose your entree of Beef or Fish (column c) | |||
** https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdDAyd0tvaUxmV3BkdV81aDA5UXlINkE#gid=0 | |||
* [gkw] How much value of a prepaid SIM card can we expense while we're in Paris? | |||
** We have to obtain this before we fly off to France (Le French Mobile, Orange recommended) | |||
** [yvan] will take this on | |||
** http://www.lefrenchmobile.com/en/data-bundles.html | |||
** Yvan to investigate | |||
*[curtisk] Sec-Champs (meeting was today) | |||
Agenda | |||
* Security Blog changes | |||
** Trying to blog once a week | |||
** Security Champions invited to contribute! | |||
* Sec Notification Process (draft) https://etherpad.mozilla.org/security-notification-process | |||
** please give feedback | |||
** wkg asked about how we find sites and APIs for cloning bugs when we have a large number of sites | |||
* (curtisk) Quarterly Goal for Security Champions - Roles & Responsibilities | |||
** What we expect from champions | |||
** How champions can make security decisions | |||
** How champions can engage the security team | |||
** planned structure: as a workshop for summit to be presented | |||
* Where are we with BREACH? | |||
* need to find all the sites where we might be vulnerable | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=903627 | |||
** bug is stalled a bit in IT, needs input from SA mgmt, wkg to need-info whom he thinks needs to be involved | |||
** https://github.com/mozilla/minion-breach-plugin (checks HTTP compression, but I think we can be more aggressive and can perform actual attack with an average success; it's a tricky attack....) | |||
Open questions | |||
* Sumo and bounties | |||
** possible blog post on using stage to look for bounties | |||
* Adding Persona to bounty program (francios) | |||
** email dveditz, chofmann, abillings, rforbes & myself to start discussion | |||
</end Sec-Champs> | |||
* [decoder/dveditz] Financial aspects of ASan builds/tests (Important) | |||
* [st3fan] OHM2013 Update - http://www.flickr.com/photos/19132706@N00/9416763300/ | |||
* https://people.mozilla.com/~sarentz/talks/ohm2013/firefoxos.pdf | |||
* https://people.mozilla.com/~sarentz/talks/ohm2013/websecurity101.pdf | |||
* [curtisk] blog stuff below | |||
* blog ideas in communication plans document on gdocs: https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c#gid=0 | |||
* Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdGVNXzUxZkJ0WHJPNG0wMDF3ODF6REE | |||
* Metrics | |||
** https://security-review-statistics.vcap.mozillalabs.com/ | |||
** https://people.mozilla.com/~sarentz/p/dashboard | |||
* Security Reports | |||
** [cr] Some discussions around the SMS-OTA issue, and how it affects Firefox OS, but it's basically in the hand of radio vendors and mobile operators, and thus largely beyond our control. | |||
*** Some background is here: https://srlabs.de/rooting-sim-cards/ | |||
* [PT] Conference Plan | |||
** Team plan for attending conferences. Get the most out of our time | |||
** Spreadsheet in team share - add any missing conferences | |||
** Need to follow up on AppSecUSA | |||
* [pt] campjs was GREAT https://plus.google.com/s/campjs | |||
=Upcoming Speaking Engagements= | |||
(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks ) | |||
* Yeuk Hon's intern presentation on Friday, 4:30 PST (see https://air.mozilla.org/channels/interns-2013/) | |||
* AppSec EU - Yvan, Simon, Freddy, Michael | |||
=Planned Blog Posts= | |||
* https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c --> moving to mana | |||
** plan to post 1 per week (should average to ~2 posts per year, per team member) | |||
*** include posts from sec-eng and guest posts from sec-champs or frequent contributors / bounty reporters | |||
** Next steps: | |||
*** everyone on the team _must_ submit a topic to blog on | |||
*** First post:: next week by Yeuk on Minion plugins | |||
*** Setup shared zimbra calendar (similiar to rotation) and assign writers to date slots (this should show up on your personal calendar and give you a reminder that your date is coming) | |||
=Security Review Status (curtisk)= | |||
* Completed in Q1:64 / Q2: 72 | |||
https://security-review-statistics.vcap.mozillalabs.com/weekly (24) | |||