• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• [curtisk] Cleanup of stale bugs in the "security assurance: review requests" component
  • https://bugzilla.mozilla.org/buglist.cgi?quicksearch=comp%3A%22security%20assurance%3A%20review%20request%22;list_id=5125091
  • 35 bugs not edited within the last quarter
    • https://bugzilla.mozilla.org/buglist.cgi?type1-0-0=lessthan;list_id=5071289;field0-0-0=status_whiteboard;status_whiteboard_type=allwordssubstr;chfieldto=Now;chfield=%5BBug%20creation%5D;status_whiteboard=pending;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=READY;bug_status=ASSIGNED;bug_status=REOPENED;value1-0-0=2012-10-01;type0-0-0=notsubstring;value0-0-0=%5Bneeds%20info;component=Security%20Assurance%3A%20Review%20Request;field1-0-0=delta_ts
  • a regular "whine" is being setup for every monday for bugs untouched longer than 14 days (currently at 62 bugs)
    • https://bugzilla.mozilla.org/buglist.cgi?type1-0-0=notsubstring;list_id=5125661;type3-0-0=notsubstring;field0-0-0=status_whiteboard;field2-0-0=delta_ts;type0-0-0=substring;value0-0-0=pending;value3-0-0=triage;value2-0-0=2w;field3-0-0=status_whiteboard;type2-0-0=lessthan;query_format=advanced;value1-0-0=needinfo;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=READY;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;field1-0-0=flagtypes.name/ <- this url no worky
• [curtisk] Champion contacts
  • https://wiki.mozilla.org/Security/Champions#Security_Champions_2
  • Notes from today's Champions meeting: https://etherpad.mozilla.org/champions
• [gkw] Security Review Pass for Minimal Risk Web Apps (from mcoates)
  • How are we deciding what is low risk?
    • [mcoates] I proposed criteria in an email. Still TBD, but roughly: No PII, no authentication, not critical for Firefox or B2G, etc. Will move to wiki when less rough.
• Not using Mana (Confluence wiki) for goals
  • Problems with Mana: hard to edit (modal wysiwyg), simultaneous editing is fail, bad email diffs
  • [decoder] We could use work.com (previously called Rypple). This could make our yearly review process easier ("what did i do last year?"), if we actually use Rypple again.
    • Especially if we track all our week+ work items, not just our goals, which would have some other advantages.
  • [Jesse] I'd prefer a Google Docs Document containing a table. Or a Google Spreadsheet, if mcoates can show me how to put links inside a cell.
    • How about Google Docs for goals, with links to Rypple for task breakdown?
  • [anonymous troll] Use VIM to edit something in a git repo
• [mcoates] Embedding: our list of who is embedded where is not accurate
  • https://wiki.mozilla.org/Security/TeamEmbedding
  • Please check the items you're listed for, and the items you feel like you're embedded for.
• [Jesse] How do the "embedding" and "champion" programs interact?
• Silisec Thursday evening (Sunnyvale) http://silisec.org/meetup/2012/December/ (for socializing with other security professionals)
• BayThreat this Friday/Saturday
• Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q4+Goals
• Review Security Radar Page - https://wiki.mozilla.org/Security/Radar

http://www.squarefree.com/bugzilla/bug-list-munger.html

Upcoming Speaking Engagements

• (Who) : Date: Name of Event : Talk Title: Link
• Yvan Boily : Dec 11 : OWASP Seattle : Security At Scale (Seattle)
• Yvan Boily : Dec 15 : BSidesSeattle : Security Testing with ZAP (Seattle)

Security Review Status (curtisk)

Chart View:

• Completed in Q4 2012:
• Number of Reviews Completed (so far this quarter): 37(33)
  • https://bugzilla.mozilla.org/buglist.cgi?list_id=4619884;resolution=FIXED;chfieldto=2012-12-31;query_format=advanced;chfield=resolution;chfieldfrom=2012-09-30;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
• Number of Outstanding Reviews: 140(141)
  • https://bugzil.la/comp%3A%22security%20assurance%3A%20review%20request%22
• Number of Reviews Ready For Review: 77 (87)
  • https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20%2Bsw%3A%22pending%22%20-flag%3A%22needinfo%22
• Number of reviews without risk rating: 61(31)
  • https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20-sw%3A%22%5Bneeds%20info%5D%22%20-sw%3A%22%5Bscore%3A%22
• Number of reviews without deadline set: 130(131)
  • https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_due_date;query_format=advanced;resolution=---;type0-0-0=isempty;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
• Find Yours:
  • MIssing Risk Rating (Yours)
  • Without Deadlin (Yours)

Operations Security Update (Joe Stevensen)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

• more progress on api testing

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

Sync (Simon Bennetts)

No update

Services (Simon Bennetts & Adam Muntner)

No update

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

• No update

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

• No update

Web Developer Tools (Mark Goodwin)

Networking (Christoph Diehl)

• Waiting for https://bugzilla.mozilla.org/show_bug.cgi?id=792175

Media / Graphics (Christoph Diehl) =

• No update

Peach (Christoph Diehl / Raymond Forbes) =

• Add OGG Skeleton 3/4 support

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)

• mozilla-central builds fixed