• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• [curtisk] fuzzing meetup during team meeting
  • Tue/Wed/Thu
  • if Wed do we want to invite outsiders along on the evenings festivities
    • if no then I propose Thu as the date for them to come in and meet with us
• First draft of Q1 summary - https://mana.mozilla.org/wiki/display/SECURITY/2013+-+Q1+Goals
  • Additional graphs will be added
• Q2 Goals
  • https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdHU3a2lJRV8xckZXclZJdkNlN3dUYVE&usp=sharing
• [decoder] Future of code coverage for tests
  • Broke in Feb. Should I spend time getting it to work again, or should I say it's SEP?
    • The current setup is a Rube Goldberg machine. Because it's such a hack, it's hard to maintain. ATeam or RelEng would be in a better place to maintain something like this.
    • Developers keep asking about it.
• [dveditz] Are we tracking "improve the platform to support games better" (vlad's push) as a key initiative worthy of being a specially tracked goal?
  • answer: no
• [st3fan] Minion Stories https://wiki.mozilla.org/Minion_User_Stories
• [st3fan] Stooge http://50.56.178.103:11627/
• [psiinon] ZAP 2.1.0 release this week (just for info;)
• Are we fuzzing B2G?
  • We're testing pieces...
    • Gary is fuzzing touch (orangfuzz)
    • Gary is fuzzing JS engine on ARM
    • decoder is fuzzing JS engine on qemu (userspace/normal qemu)
    • Jesse is hoping to fuzz with OMTC enabled on desktop
    • Christoph is fuzzing IPC and codecs on emulator and device
• Metrics
  • https://security-review-statistics.vcap.mozillalabs.com/
  • https://people.mozilla.com/~sarentz/p/dashboard
  • Review Security Radar Page - https://wiki.mozilla.org/Security/Radar

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

• [psiinon] April 24 ZAP ThreadFix webinar

Planned Blog Posts

• https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c
• [gkw] Orangfuzz blogpost likely going out today

Security Review Status (curtisk)

• Completed in Q1 2013: 66

https://security-review-statistics.vcap.mozillalabs.com/weekly

Operations Security Update (Joe Stevensen)

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Firefox Mobile

Firefox OS

• [cr] started https://developer.mozilla.org/en-US/docs/Apps/Security_guidelines for Firefox OS app developers and reviewers
  • Based on Paul's Google Doc
  • Needs reviews

Firefox Core

• [gkw] ARM hardware is slowly becoming more feasible for more reliable native fuzzing as they improve over the years

MarketPlace

• [cr] started collecting Firefox Market architecture information (rforbes, kang, oremj, more...)
  • Required for planning improving and augmenting the review process
  • So far not centrally documented, lots of running.
  • Input appreciated if you know details on the hosts, databases and webapps involved in the Firefox Market as well as the review and signing process.

Web Apps

Services

Operation Security