• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• [curtisk] reminder, we have set Thu as the day for the fuzzers from BB to come join us
  • if working with other orgs would be good to have them on that day as well
• Goals
  • Should be locked in. - Remeber to have measurable goal so you know when you're done.
  • Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdHU3a2lJRV8xckZXclZJdkNlN3dUYVE#gid=1
• Metrics
  • Q1 - https://mana.mozilla.org/wiki/display/SECURITY/2013+-+Q1+Goals
  • https://security-review-statistics.vcap.mozillalabs.com/
    • "Ready for Review" / "Total Outstanding" / "Without Risk Ranking"
      • appear to have plateaued, we're neither driving it down nor is does it appear to be getting additional - seems a bit odd they are not moving more
  • https://people.mozilla.com/~sarentz/p/dashboard
    • Good progress on unresolved/unassigned web-security bugs. See dashboard
  • Review Security Radar Page - https://wiki.mozilla.org/Security/Radar
    • WARNING: page is broken due to a bug in mediawiki that is not allowing collapsable items, so ignore this for now until a fix is available
• Risk Ratings for security reviews
  • Link - Tool to do risk review: https://people.mozilla.com/~ckoenig/
  • Process Link - https://wiki.mozilla.org/Security/RiskRatings <- this is unclear honestly, I will update it into a more flow like
  • Etherpad for discussing: https://etherpad.mozilla.org/SecurityRiskRanking
• [pauljt] WebRTC... halp!
  • https://wiki.mozilla.org/Media/WebRTC/WebRTCE10S (E10S=multiprocess/related to sandboxing)
• [psiinon] ZAP 2.1.0 released \\o \o/ o//

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

• [psiinon] April 24 ZAP ThreadFix webinar

Planned Blog Posts

• https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c

Security Review Status (curtisk)

• Completed in Q1 2013: 66
• Currently Completed this quarter: 13

https://security-review-statistics.vcap.mozillalabs.com/weekly

Operations Security Update (Joe Stevensen)

• Persona on internal sites by end of Q2
  • https://vimeo.com/64467368 (has link to real world test too on it)
• Verizon DBIR (Data Breach Investigations Report) released today http://www.verizonenterprise.com/DBIR/2013/

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Firefox Mobile

Firefox OS

• [cr] work in progress: https://mana.mozilla.org/wiki/display/~cruetten@mozilla.com/Firefox+OS+Malware+Defense+Strategy
  • comments welcome

Firefox Core

MarketPlace

Web Apps

Services

Operation Security