Security/Meetings/SecurityAssurance/2012-09-25
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- [Jesse] Fuzzing team discussed Q4 and 12-month goals: https://security.etherpad.mozilla.org/dveditzQ4goalscratchpad
- [Mcoates] Java Vuln - http://seclists.org/bugtraq/2012/Sep/109
- [Mcoates] Talk about Goals
- [gkw] New hire bullet points
- Security Bugs
- When filing a security related bug, check the box labelled:
- "Many users could be harmed by this security problem: it should be kept hidden from the public until it is resolved."
- Always be more conservative than necessary
- Bugs will be opened up if they deemed not sensitive
- When filing a security related bug, check the box labelled:
- Security Reviews
- Engage the Security Assurance team early on as we may be able to help you avoid security concerns
- File a security review for evaluating the security aspect of a project proposal
- File a security review for a new feature
- More information at https://wiki.mozilla.org/Security/ or at #security
- Security Bugs
- Project Kick Off Form - https://wiki.mozilla.org/Kick-Off_Form
- [rforbes] HSM usage and stuff
- [gkw] http://gear.mozilla.org just got released
- "Splendidest"?!
- We just un-released it.
- Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q3+Goals
Security Review Status (koenig)
- Completed in Q3 2012:
- Number of Reviews Completed (so far this quarter):55 (51)
- Number of Outstanding Reviews: 143(144)
Operations Security Update (Joe Stevensen)
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault, David Chan)
- the system is still changing
Thunderbird (Adam Muntner)
Rust (Jesse Ruderman)
Mobile (Mark Goodwin)
Sync (Simon Bennetts & Adam Muntner)
Services (Simon Bennetts & Adam Muntner)
Social - Pancake (Mark Goodwin)
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- [decoder] Minor amount of regressions due to IonMonkey on mozilla-central, fuzzing x86 and ARM to shake them out until aurora uplift.
- [Jesse & gkw] We have multicore jsfunfuzz'ing!
DOM, XPConnect (Jesse Ruderman)
- [Jesse & gkw] We have multicore domfuzz'ing!
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
- [gkw & Jesse] Grappling with Valgrind builds on tbpl
Web Developer Tools (Mark Goodwin)
Networking (Christoph Diehl)
- No update
Graphics (Christoph Diehl) =
- No update
Networking ( Media / Codecs)
Market (Raymond Forbes)
Firefox APIs (Raymond Forbes)
Payment Flow (Raymond Forbes)
lots of updates.
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID
Identity Services (David Chan)
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
Mozillians (Raymond Forbes)
MDN (Raymond Forbes)
SUMO (Kitsune) ()
AddressSanitizer (Christian Holler)
- Major blockers for ASan on try landed, but memory constraints on try are problematic with ASan in general.