Security/Meetings/SecurityAssurance/2012-12-04
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- [curtisk] Cleanup of stale bugs in the "security assurance: review requests" component
- https://bugzilla.mozilla.org/buglist.cgi?quicksearch=comp%3A%22security%20assurance%3A%20review%20request%22;list_id=5125091
- 35 bugs not edited within the last quarter
- a regular "whine" is being setup for every monday for bugs untouched longer than 14 days (currently at 62 bugs)
- [curtisk] Champion contacts
- https://wiki.mozilla.org/Security/Champions#Security_Champions_2
- Notes from today's Champions meeting: https://etherpad.mozilla.org/champions
- [gkw] Security Review Pass for Minimal Risk Web Apps (from mcoates)
- How are we deciding what is low risk?
- [mcoates] I proposed criteria in an email. Still TBD, but roughly: No PII, no authentication, not critical for Firefox or B2G, etc. Will move to wiki when less rough.
- How are we deciding what is low risk?
- Not using Mana (Confluence wiki) for goals
- Problems with Mana: hard to edit (modal wysiwyg), simultaneous editing is fail, bad email diffs
- [decoder] We could use work.com (previously called Rypple). This could make our yearly review process easier ("what did i do last year?"), if we actually use Rypple again.
- Especially if we track all our week+ work items, not just our goals, which would have some other advantages.
- [Jesse] I'd prefer a Google Docs Document containing a table. Or a Google Spreadsheet, if mcoates can show me how to put links inside a cell.
- How about Google Docs for goals, with links to Rypple for task breakdown?
- [anonymous troll] Use VIM to edit something in a git repo
- [mcoates] Embedding: our list of who is embedded where is not accurate
- https://wiki.mozilla.org/Security/TeamEmbedding
- Please check the items you're listed for, and the items you feel like you're embedded for.
- [Jesse] How do the "embedding" and "champion" programs interact?
- Silisec Thursday evening (Sunnyvale) http://silisec.org/meetup/2012/December/ (for socializing with other security professionals)
- BayThreat this Friday/Saturday
- Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q4+Goals
- Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
http://www.squarefree.com/bugzilla/bug-list-munger.html
Upcoming Speaking Engagements
- (Who) : Date: Name of Event : Talk Title: Link
- Yvan Boily : Dec 11 : OWASP Seattle : Security At Scale (Seattle)
- Yvan Boily : Dec 15 : BSidesSeattle : Security Testing with ZAP (Seattle)
Security Review Status (curtisk)
Chart View:
- Completed in Q4 2012:
- Number of Reviews Completed (so far this quarter): 37(33)
- Number of Outstanding Reviews: 140(141)
- Number of Reviews Ready For Review: 77 (87)
- Number of reviews without risk rating: 61(31)
- Number of reviews without deadline set: 130(131)
- Find Yours:
Operations Security Update (Joe Stevensen)
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault, David Chan)
- more progress on api testing
Thunderbird (Adam Muntner)
Rust (Jesse Ruderman)
Mobile (Mark Goodwin)
Sync (Simon Bennetts)
No update
Services (Simon Bennetts & Adam Muntner)
No update
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- No update
DOM, XPConnect (Jesse Ruderman)
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
- No update
Web Developer Tools (Mark Goodwin)
Networking (Christoph Diehl)
Media / Graphics (Christoph Diehl) =
- No update
Peach (Christoph Diehl / Raymond Forbes) =
- Add OGG Skeleton 3/4 support
Market (Raymond Forbes)
Firefox APIs (Raymond Forbes)
Payment Flow (Raymond Forbes)
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID
Identity Services (David Chan)
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
Mozillians (Raymond Forbes)
MDN (Raymond Forbes)
SUMO (Kitsune) ()
AddressSanitizer (Christian Holler)
- mozilla-central builds fixed