Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
Phone (Toronto): 416 848 3114 x92 Conf: 95316#
Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

[curtisk] Ready for review bugs
- bugs not ready for review should be changed to UNCONFIRMED for now all other (REOPENED, NEW, READY, ASSIGNED) will be counted going forward
- looking into getting the READY status
  - could be a long time coming
Goals - Please keep status up to date - Adding to google doc. Opening to all for updates soon.
Review Security Radar Page - https://wiki.mozilla.org/Security/Radar

CanSecWest

Who wants to go?
- Jesse
- Gary - likely B-sides too
- Joe (depends on agenda)
- Curtisk - bsides as well
- Pauljt? - long travel round the world ... yeh hence the ?... :)
- cdiehl
- Raymond
- tinfoil (depending on presentations)
- (how about chofmann?)
Are we buying conference admission as a group?
B-sides? (2 days before CanSecWest / Pwn2Own) March 4,5
- This is the first year for B-sides Vancover
- Expecting ~80 attendees
Pwn2Own
Anyone submitting to B-sides?

Black Hat / other cons

Black Hat / Defcon? isn't that in July/August? Yes, but between the mini-con, work week, and cansecwest, we should consider what the plan is around blackhat

DerbyCon (Louisville, KY) Sep 25-28
SkyDogCon (Nashville, TN)
AppSec USA
AppSec EU
ShmooCon??

Conference sponsorships?

e.g. Mozilla historically sponsored an add-on security contest at Hack in the Box (HITB) Kuala Lumpur 2011 and HITB Amsterdam 2012

Goals

Most of us have discussed Q1 possible goals with our managers
The Google Doc will be open to all of us soon

Planned Blog Posts

[decoder] https://security.etherpad.mozilla.org/SecurityBlogSecurityCoverage

expected 18-Jan-2013
sent to press for review

Work Week

May 6th (other details TBD)
San Francisco

Web Verification Process

Speaking Engagements

(Who) : Date: Name of Event : Talk Title: Link
Simon Bennetts : Feb 2-3 : FOSDEM : Talking about ZAP :)
Raymond Forbes : Feb 27 - March 2 : Nullcon

Security Review Status (curtisk)

Completed in Q4 2012: 50
Number of Reviews Completed (so far this quarter):10 (4)
- https://bugzilla.mozilla.org/buglist.cgi?list_id=4619884;resolution=FIXED;chfieldto=2013-03-31;query_format=advanced;chfield=resolution;chfieldfrom=2013-01-01;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
Number of Outstanding Reviews: 124 (129)
- https://bugzil.la/comp%3A%22security%20assurance%3A%20review%20request%22
Number of Reviews Ready For Review: 65 (67)
- https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20%2Bsw%3A%22pending%22%20-flag%3A%22needinfo%22
Number of reviews without risk rating:55 (54)
- https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20-sw%3A%22%5Bneeds%20info%5D%22%20-sw%3A%22%5Bscore%3A%22
Number of reviews without deadline set:114 (117)
- https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_due_date;query_format=advanced;resolution=---;type0-0-0=isempty;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
Find Yours:
- MIssing Risk Rating (Yours)
- Without Deadline (Yours)

Operations Security Update (Joe Stevensen)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

Zero bugs!
Browser and Update security reviews priority at the moment

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

We're getting ASLR !!!
Any other ideas for fennec security enhancements, please let me know

Sync (Simon Bennetts)

Services (Simon Bennetts & Adam Muntner)

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

[gkw, decoder] Testing bug 820124 & bug 818023 (requested)
Triaging ~2500 stale fixed JS bugs to find out if they have tests added (QA project)
- ~500 bugs automatically set in-testsuite+
- Working on automated testcase extraction

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

No update (been attending their meetings though)

Web Developer Tools (Mark Goodwin)

No update (but I've got a mountain of reviews to get though)

Networking (Christoph Diehl)

Media / Graphics (Christoph Diehl) =

Peach (Christoph Diehl / Raymond Forbes) =

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

No updates

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)

RelEng working on ASan builds, patch in the bug \o/

Security/Meetings/SecurityAssurance/2013-01-15

Contents