Security/Meetings/SecurityAssurance/2013-02-19
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Contents |
Agenda
- curtisk has been with Mozilla for 2 years on Feb 22 \0/
- MWC next week [pt] https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/Security
- github
- Goals - Please keep status up to date -
- Team Meet Up 2013 in SF
- Recommended Reading - http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
- Also, the prequel: http://en.wikipedia.org/wiki/Unrestricted_Warfare
- Metrics
- Review Security Radar Page - https://wiki.mozilla.org/Security/Radar <-- Looks good
- 35 completed reviews so far this quarter
- Please remember to file a sec-assurance bug blocking orignial bug for sec-review? bugs assigned to you so we can properly track work and age
Upcoming Speaking Engagements
(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )
- Raymond Forbes : Feb 27 - March 2 : Nullcon : Bug Bounty Programs
- David Chan: Feb 22 : taking to a small group of engineers about security testing at Animoto
- Curts Koenig: Feb 22: OWASP Louisville, Rebooting OWASP Louisville
Planned Blog Posts
Security Review Status (curtisk)
- Completed in Q4 2012: 50
https://security-review-statistics.vcap.mozillalabs.com/weekly
Operations Security Update (Joe Stevensen)
Project Updates
Please add your name to the update so we know who to follow up with
Firefox Desktop
Firefox 19 released - http://www.mozilla.org/en-US/firefox/19.0/releasenotes/
Firefox Mobile
Firefox OS
- Review progressing on target (11 gaia & ~15 platform bugs remaining) - MWC 25th - working to get security docs cleaned up before then - Detailed notes: https://etherpad.mozilla.org/firefoxossecteammtg
Firefox Core
- [decoder] Firefox now compiling with MemorySanitizer, working on landing necessary changes and running tests
- [decoder] JS: Baseline Compiler now being fuzzed (https://bugzilla.mozilla.org/show_bug.cgi?id=842258)
MarketPlace
Web Apps
freddy contributed a list of jQuery-specific DOM XSS sinks to the DOM XSS wiki. Interesting for mozilla webapps, in face of django/playdoh using jinja2 for templating. See http://code.google.com/p/domxsswiki/wiki/jQuery
