Security/Meetings/SecurityAssurance/2012-05-29
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- [curtisk] Priorities for incoming work, especially security reviews (raw list, working on a ranking matrix)
- https://wiki.mozilla.org/Security/RiskRatings
- Incident
- Mozilla Initiative
- Overall Mozilla Quarterly Goal (includes ongoing goals like "keep Firefox safe")
- Other Team's Quarterly Goal
- Reviews that have been waiting for a long time
- Other
- [mcoates] London week update
- https://etherpad.mozilla.org/security-assurance-london <- provide suggestions on format/schedule
- We need to submit an agenda. Please put suggestions in etherpad.
- [decoder] Working on new blog post "7 Tips for Fuzzing Firefox": https://security.etherpad.mozilla.org/SecurityBlogFuzzingTips
- [dchan] Describing the security lifecycle for Firefox and Fennec
- what do we do outside for reviews, design analysis, fuzzing, bounty program, source is open
- https://wiki.mozilla.org/Security/Reviews/Secure_Development_Lifecycle
- [gkw] fuzzing on more machines - how should we scale?
- Just something to ponder moving forward
- Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
- Reminder: the last two weeks of a quarter tend to be hectic due to other teams inundating us with requests. So we only have two weeks to get our own work finished.
- [ptheriault] Reach out to universities. I am doing a talk this friday at my old uni, https://etherpad.mozilla.org/bughuntingatmozilla <-- add ideas here. Topic is "bug hunting @ mozilla". More broadly I was planning on reaching out to other unis in au, especially ones with security programs. thoughts?
Meeting Notes
Security Review Status (koenig)
- Number of Reviews Completed (so far this quarter): 49 (last week 48)
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 22 (22)
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =27(26)
- Number of Outstanding Reviews: 193 (last week 192)
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 50
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 143
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
- "background updates" now on Firefox Nightly
B2G (Paul Theriault, David Chan)
This weeks reviews: - web activities - browser API - settings API Permissions Model work slowly making progress. - B2G team says multiprocess not ready for M3.
Thunderbird (Adam Muntner)
Rust (Jesse Ruderman)
Mobile (Mark Goodwin)
Getting to grips - i've got lots to learn here so I'll be taking some time for R&D
Sync (Simon Bennetts & Adam Muntner)
Services (Simon Bennetts & Adam Muntner)
- tokenserver review slipped and in progress
- mentioned that Simon is coming on board to help
Social - Pancake (Mark Goodwin)
The team are sorting out the last few bugs; looks in OK shape.
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- IonMonkey differential testing revealed already several correctness issues
- [decoder & gkw] IonMonkey crash testing continues to find crash bugs on all platforms regularly
DOM, XPConnect (Jesse Ruderman)
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
- [decoder] Working on automation for push-to-try builds (e.g. for ASan)
Web Developer Tools (Mark Goodwin)
No update (other than a secreview took place last week on the debugger).
Networking (Christoph Diehl)
- Updated SMS fuzzer pushed to repository
- supports mutation of PDUs including UDH/IEIs and UD in 7/8/16 bit encoding
- waiting for more support of IEIs in B2G e.g. for MMS
- In talks with the media team
- gathering information and building a fuzz plan for all the protocols. (Not yet finished)
- it should be doable to fuzz the important protos like STUN, TURN, SDP till the end of next month.
Graphics (Christoph Diehl) =
- Voice codecs
- will setup a fuzzing processs for Speex this afternoon; not yet activated in Firefox but the package provides a stand-alone executable and the processs should go smoothly.
- other voice codecs would be G.711 and iLBC whereby iLBC is not yet integrated.
Networking ( Media / Codecs)
Market (Raymond Forbes)
Firefox APIs (Raymond Forbes)
Payment Flow (Raymond Forbes)
App Sync (David Chan)
- no update, still working on mozApps navigator and client review
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID
RFP will be awarded this week.
Identity Services (David Chan)
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
No update.