Security/Meetings/2012-01-04

From MozillaWiki
Jump to: navigation, search

What needs testing (especially fuzzing) on mobile?

  • curtisk, imelven, decoder, gkw => flesh out?
  • https://etherpad.mozilla.org/mobile-security-testing is my list. Brandon said he has a "master plan", but I don't know anything about it yet.
  • Mobile UI fuzzer idea is floating in the air, gkw is embedding into ateam meetings to find out how this might turn ou
    • I [decoder] can probably give hints about the crash triage automation etc. on Android because LangFuzz has that builtin already.
      • A-team might have some APIs we can use

Goals

  • Develop prototype for automation and scalability of ARM and mobile fuzzing
    • Some of our machines under upgrading
      • Almost done - jsfunfuzz now running on Mac OS X Lion
    • Certain releng machines are only running DOM fuzzer now, should get jsfunfuzz / LangFuzz running too
  • sync auth & BrowserID
    • Define options for better UX that still ensure secure auth and content security
  • Plugin experience - drive update, click to play

Other Possible Goals

  • Get stats on features we want to end-of-life (enablePrivilege, etc)
    • How can we be more specific than "etc"?
      • We can look at features that chrome/IE have removed for security reasons e.g. user:pass@host in URLs
    • Telemetry
    • commoncrawl.org might help, for public web anyway (enablePrivilege tends to be used on intranets, not public)
      • It could be replaced by an addon
  • Security Questionnaire
    • Proof of concept implementation
    • Evaluation with previous security review participants
    • Overall improvements and decision if this is helpful and should be adopted into the process, or not

can we write these goals in a SMART format so we have clear targets? (Specific, Measurable, Actionable, Resourced, Time frame)

Rapid Impact (aka Rapid Response) Team+ (lucas)

  • proposed by jpr
  • temporary (1-2 month) task forces
  • likely topics

Team Embedding

  • We completely reshuffled https://wiki.mozilla.org/Security/TeamEmbedding assignments
    • Mobile - Ian
      • Engineering meeting - 930-1030 Wed (overlaps with secteam)
      • Demo showcase - 1200 Wed
    • web developer tools - tanvi
    • Sync & services - dchan - tanvi also interested
    • Identity, Sync Auth Project - Sid
    • B2G, WebAPI - Lucas
    • Apps - curtis (involved sort of), dchan
    • Jetpack, Add-on SDK, Add-on builder - Dan
    • Thunderbird - dveditz; gkw is interested as well
    • JS - no meetings; covered pretty well by jesse / gkw / decoder
    • Rust - jesse (been inactive)
    • UX - tanvi, jesse interested
      • 11 on Thursday
    • DOM, XPConnect - no meetings, jesse is interested
    • Layout, Style - no meetings, jesse is interested
    • Firefox - Curtis
      • Channel meeting + Triage Tue/Thu 1400
      • Dev Mtg Tue 10
      • Delivery Mtg Wed 10
    • Automation tools (Robocop, Marionette) - gkw, decoder are interested
      • 10-11 on Mon (general ateam meeting, includes robocop)
      • 10-11 on Thu (Marionette)

SecReview MediaWiki Template (curtisk)

Travel

Fuzzing at Mozilla Brown Bag (gkw)

  • Possibly on Jan 30, 1PM (rescheduling as we speak)
    • curtisk will cancel SecReview slot for this day

Comms (curtisk)

Blog

Contributor; Week Of; Topic
curtisk 9-Jan-2012
decoder 23-Jan-2012
sid 6-Feb-2012

BrownBag

  • Feb- Imelven

Lightning talk

Contributor; Month Of; Topic
dveditz Jan
Sid Feb

Crypto code

  • decoder met with Kai Engert in Berlin (around CCC)
    • According to him, PSM and NSS need more developers. Ex: need better APIs