Security/Meetings/SecurityAssurance/2013-04-02

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

  • Welcome Christiane Ruetten [:cr] https://phonebook.mozilla.org/#search/cruetten (she says "ohai")
  • Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdEI4SlE0eGRWdkN5bXBpbV8wcjNzNUE
  • Q1 Wrapup
    • [Jesse] I'm happy with Q1 browser changes: removal of window.Components, CSS columns fixes, cookie policy, ASan/TSan fixes and annotations, plugin click-to-play improvements
    • [gkw] a big thank you to all who helped get machines for the fuzzer folks, shoutout goes to abillings for following through
    • Q1 goal spreadsheet will be locked down soon
    • In the next week, copy/paste your goals into work.com and add narrative (which might include non-goal work you did)
  • Q2 Planning
  • [curtis / Jesse] work week fuzzing day
    • talking to RIM about having a mobile fuzzing presence
    • [Jesse] Should we invite other DOM fuzzing people from other companies? (Inferno from Google, etc)
  • [Jesse] It would be nice if people with non-Mozilla-hosted WordPress blogs could benefit from AppSec's work to determine which plugins are sketchy, reviewed, etc.
    • [tinfoil] We could make a WordPress plugin to scan your WordPress plugins! plugin fix plugin!
    • [tinfoil] It's sorta possible to determine whether some plugins are installed (but not whether they're enabled) (but sometimes they introduce vulns even when disabled)
  • [yvan] WordPress blogs could go read-only if they switch to DISQUS for comments
    • [jesse] But eww then we're loading third-party scripts, and not searchable, and lose control over backups
  • [dveditz] Draft paper comparing browser bug bounty programs
    • Paper shows that Chrome fixes their bounty bugs faster (?)
      • [decoder] Chromium seems to have a top-down approach to assigning security bugs to developers
        • Can we do that too?

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

  • Psiinon LatAm Uruguay (remote) tomorrow
  • MGoodwin 10th @ Sheffild Hallam (will update talks pages)
  • Yvan, BSidesWinnipeg (November)
  • Yvan,
  • Yvan,
  • St3fan, Submitted a talk about Firefox OS to OHM2013 https://ohm2013.org
  • St3fan, Will submit a talk about Minion to OHM2013

Planned Blog Posts

Metrics (curtisk)

  • Security Reviews Completed in Q1 2013: 66

https://security-review-statistics.vcap.mozillalabs.com/weekly

Operations Security Update (Joe Stevensen)

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Firefox Mobile

Firefox OS

Firefox Core

MarketPlace

Web Apps

Services

Operation Security