Security/Meetings/2011-06-29

From MozillaWiki
Jump to: navigation, search

DNSSEC update

  • David Keeler is currently experimenting with standalone programs that verify DNSSEC chains.
  • For more information, see https://wiki.mozilla.org/Security/DNSSEC-TLS.
    • Let's turn this page into a feature page (or additionally make a feature page).

Reminders

  • Book your flights for Black Hat, and change your hotel reservation if needed.
  • You can ask for an Android device: a phone (without service) or a tablet. File an IT request, CCing Lucas.
    • If you could use it as your primary mobile device (filing bugs as you run into them), you should probably ask for one.
    • If you would develop on it, you should definitely ask for one.
    • Asking for a tablet (rather than a phone) is fair game, since a tablet costs about the same as an unsubsidized phone, and our policy allows you to get phones unsubsidized.

Q3 goals

We've been asked to come up with a list of three goals.

Comments about picking goals

  • most important
  • most impactful
  • support the wider goals
  • forward looking, as opposed to catch-up and "stuff we'd be doing anyway"

Comments about writing goals

  • [Curtis] Goals should IMO follow the SMART format (Specific, Measurable, Achievable, Results Oriented, Time bound), for the final format, once we decide what we want
  • The last merge date of the quarter is 2011-09-27 (Firefox 9 -> mozilla-aurora; Firefox 8 -> mozilla-beta; Firefox 7 -> mozilla-release)

Nominations

  • [Jesse] Root cause analysis of some security bugs in two components.
    • Recommend how to reduce security holes in those components
    • Recommend rules of thumb for when/how to do RCA.
    • Recommend a process for how we can build RCA into our life cycle: do it for every sg:crit as it comes in, or for every component occasionally.
    • JS is very likely. DOM and Layout are good candidates.
  • Does anything on Security/Roadmap rise to the level of a team goal?
    • XSS filter
    • DNSSEC (perhaps just the CA-lock part, in nightly)
    • Mixed content (good timing wrt chrome)
    • Click-to-play plugins
    • iframe sandbox (good timing wrt ie) (plugin questions)
    • Let us choose later: "Get a P1 or P2 security-roadmap feature added in Nightly"
  • [bsmith] Write recommendations for web app security, especially for apps that were formerly native apps.
    • So we know what security features the web platform are missing (e.g. crypto, logout, iframe sandbox, link fingerprints)
    • Is this something we'd do jointly with infrasec or webdev?
  • [Curtis] All major features complete a security discussion before landing in Aurora for FX 7,8,9
  • [imelven] ARM fuzzing
    • But we barely have regression testing working on ARM, and fixing that doesn't really seem like a job for the security team. They are currently working to improve this situation.
  • [Lucas] Embed into the following teams: ... (identity: Sid/Curtis) (webapps: bsterne)
  • [Jesse] Remove barriers to https (DNSSEC, no-cache, cache defaults)

Winners

  • XSS filter on mozilla-central in time for 9 Aurora (2011-09-27).
  • Root cause analysis of enough bugs in two components to come up with recommendations for how to include RCA in our security lifecycle.

Homework

  • Improve wording for goals
  • Debate third goal over email?