Security/Meetings/Automation/2015-05-12
From MozillaWiki
< Security | Meetings | Automation
- Testing HPKP on input.mozilla.org
- https://bugzilla.mozilla.org/show_bug.cgi?id=1088774
- validation may need better tooling
- can use xpcshell that uses firefox
- shouldn't be too hard to do in zap (mgoodwin will give a shot, psiinon will review)
- risk: DoS yourself if no backup digest provided, hpkp must have 2 digests for the pin to be taken into account, the 2nd pin doesn't need to be in the chain used to set the header
- Building a set of small programs ("menagerie") that demonstrate specific security features:
- hpkp, hsts, sri, csp, anti csrf, ...
- we could give a real cert to docker images, but needs to be on an isolated domain
- ansible & docker are good automation tools for this
- MWoS 2015/16: who wants to participate?
Status Updates
- freddy did eslint things and April helped
- eh, automated code-checks to avoid code like 'innerHTML = foo'
- feedback appreciated!
- https://github.com/mozfreddyb/eslint/blob/e4290efeb28cf9e28943f3bf5d885aa78abb1346/tests/lib/rules/no-unsafe-innerhtml.js
- safebrowsing/tracking protection in b2g/gaia
- freddy can demo his SRI presentation for anyone who's interested - after this meeting
- would be useful to add to the secure coding guidelines
- https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
- needs tooling, still
- could make a code generator for security features similar to http://mozilla.github.io/server-side-tls/ssl-config-generator/
- would be useful to add to the secure coding guidelines
- jeff
- DEF CON 23 presentation submitted for 'TSAWS'
- Got myo working in MozDef, but stopped by...SSL!
- psiinon
- Talking in Sheffield and Amsterdam (ZAP 2.4.0 + ZAAS?)
- ZAP adv fuzzing looks fun ;)
- Need to focus on moving ZAP to GitHub
- Interesting news: http://www.theregister.co.uk/2015/05/05/rapid7_buys_web_app_security_firm_nto/
- mgoodwin
- Talking in Sheffield (thinking out loud about PKI)
- being generally appalled at how hard it is to do any x509 related stuff in any crypto libs
- it's _supposed_ to be easy(easier?) in Go :(
- https://github.com/mozilla/TLS-Observer
- it's a nice theory - Now look at how well verifying CRL is supported ;)
- it's _supposed_ to be easy(easier?) in Go :(
- Menagerie ++^2