Security/Meetings/SecurityAssurance/2013-02-05
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- Joe on PTO this week. Be back Monday. \o/ have fun
- Gary on PTO from Feb 8 Friday (1/2 day) onwards, back Feb 19 Tuesday
- curtis' chat with government folks - helping businesses understand security risks
- I (ygjb) just started a security awareness discussion at OWASP
- Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdEI4SlE0eGRWdkN5bXBpbV8wcjNzNUE
- Metrics
- https://security-review-statistics.vcap.mozillalabs.com/
- Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
- working with sarentz to move this info to the dashboard
- Security documentation for Firefox OS - https://security.etherpad.mozilla.org/MDN-Firefox-OS
- FirefoxOS Bug Hunt: https://etherpad.mozilla.org/foxhunt
Upcoming Speaking Engagements
(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )
- Raymond Forbes : Feb 27 - March 2 : Nullcon : Bug Bounty Programs
Planned Blog Posts
- https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c
- Review needed https://docs.google.com/a/mozilla.com/document/d/1efAITZr77vQc9GQk8c6ErMN4VTXbMW7d2OPTVPWaM1w/edit <- doesnt allow adding comments though :(
Security Review Status (curtisk)
- Completed in Q4 2012: 50
https://security-review-statistics.vcap.mozillalabs.com/weekly
Project Updates
Please add your name to the update so we know who to follow up with
Firefox Desktop
Firefox Mobile
Firefox OS
- Weekly FFOS meeting notes: https://etherpad.mozilla.org/firefoxossecteammtg (pauljt)
- Cool: adb locked down (pauljt)
- Uncool: mozkeyboard is a thing, and it needs security love (also paul :)) (doh)
MarketPlace
Web Apps
Services
Operation Security
Operations Security Update (Joe Stevensen)
Silent updates (rforbes / dveditz)
B2G (Paul Theriault, David Chan)
Thunderbird (Adam Muntner)
Rust (Jesse Ruderman)
Mobile (Mark Goodwin)
Sync (Simon Bennetts)
Services (Simon Bennetts & Adam Muntner)
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- Added ASan support to LifoAlloc allocator in the JS engine (bug 838150)
DOM, XPConnect (Jesse Ruderman)
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
- ted gave some interesting tips about Breakpad / js shell / Windows
Web Developer Tools (Mark Goodwin)
Networking (Christoph Diehl)
- Working on STUN
Media / Graphics (Christoph Diehl) =
- No update
Peach (Christoph Diehl / Raymond Forbes) =
- No update
Market (Raymond Forbes)
Firefox APIs (Raymond Forbes)
Payment Flow (Raymond Forbes)
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID
Identity Services (David Chan)
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
Mozillians (Raymond Forbes)
MDN (Raymond Forbes)
SUMO (Kitsune) ()
AddressSanitizer (Christian Holler)
- Bug for getting tests on ASan builds: https://bugzilla.mozilla.org/show_bug.cgi?id=831491
- Now includes blockers (e.g. current test failures)