122
edits
Security/Automation/Winter Of Security 2015: Difference between revisions
Security/Automation/Winter Of Security 2015 (view source)
Revision as of 18:18, 13 October 2015
, 13 October 2015Link to the sub-page for Let's Encrypt
(Let's Encrypt project - Enable hardmode) |
(Link to the sub-page for Let's Encrypt) |
||
| (10 intermediate revisions by 3 users not shown) | |||
| Line 7: | Line 7: | ||
Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language. | Note on language: English is required for code comments and documentation, but not for interactions between students and advisers. Advisers who speak the same language as their students are encouraged to interact in that language. | ||
Contact us on [[IRC|irc.mozilla.org]] in the '''# | Contact us on [[IRC|irc.mozilla.org]] in the '''#security''' channel if you have questions. | ||
== Selection process == | == Selection process == | ||
| Line 18: | Line 18: | ||
* links to relevant resources (university website, resumes, ...) | * links to relevant resources (university website, resumes, ...) | ||
''' | '''[https://docs.google.com/a/mozilla.com/forms/d/1xI_HySIHTQeAWmyUPmHiEfEe3aIK4NSL9BFFqrOXcxM/viewform Click here to access to application form]''' | ||
== Timeline == | == Timeline == | ||
| Line 35: | Line 35: | ||
[http://mig.mozilla.org Mozilla InvestiGator (MIG)] is a digital forensics platform used by Mozilla to monitor the security of servers. MIG deploys an agent on systems that is used to maintain the security of the infrastructure. The goal of this project is to add a log monitoring component to the MIG agent to continuously read the logs of a system and trigger alerts on specific patterns (string matching, repeated message within a sliding window, etc...). The log monitoring component must be built in the Go language and must support Linux, MacOS and Windows log analysis. Beyond basic log monitoring, a successful team will be encouraged to evaluate heuristic based threat detection, and how groups of agents can be used together to identify unusual behaviors. | [http://mig.mozilla.org Mozilla InvestiGator (MIG)] is a digital forensics platform used by Mozilla to monitor the security of servers. MIG deploys an agent on systems that is used to maintain the security of the infrastructure. The goal of this project is to add a log monitoring component to the MIG agent to continuously read the logs of a system and trigger alerts on specific patterns (string matching, repeated message within a sliding window, etc...). The log monitoring component must be built in the Go language and must support Linux, MacOS and Windows log analysis. Beyond basic log monitoring, a successful team will be encouraged to evaluate heuristic based threat detection, and how groups of agents can be used together to identify unusual behaviors. | ||
=== Menagerie - | === MIG Agent sandboxing === | ||
* Mozilla Advisor: [https://mozillians.org/en-US/u/kang/ Guillaume Destuynder] and [https://mozillians.org/en-US/u/alm/ Aaron Meihm] | |||
* Difficulty: high | |||
* Language: english or french | |||
[http://mig.mozilla.org Mozilla InvestiGator (MIG)] is a digital forensics platform used by Mozilla to monitor the security of servers. MIG deploys an agent on systems that is used to maintain the security of the infrastructure. The agent currently runs as root in order to run investigation modules that have low-level access to the system. The goal of this project is to sandbox the MIG Agent on Linux in a way that allows each part to perform investigative work while having as little privileges as possible. The team will have to use the [https://en.wikipedia.org/wiki/Seccomp Linux Seccomp] mechanism, and the existing [https://chromium.googlesource.com/chromiumos/platform/go-seccomp/+/master Go library], to implement a sandbox in the Agent. If possible, the team will also evaluate sandboxing on MacOS and Windows. | |||
The ideal team will have proven experience in Golang and Linux systems architecture. | |||
=== Menagerie - a collection of tests and demos for security headers and TLS configurations === | |||
* Mozilla Advisor: [https://mozillians.org/en-US/u/mgoodwin/ Mark Goodwin] and [https://mozillians.org/en-US/u/april/ April King] | * Mozilla Advisor: [https://mozillians.org/en-US/u/mgoodwin/ Mark Goodwin] and [https://mozillians.org/en-US/u/april/ April King] | ||
* Difficulty: Low | * Difficulty: Low | ||
| Line 45: | Line 53: | ||
** CSP examples (good and bad) | ** CSP examples (good and bad) | ||
** HSTS examples | ** HSTS examples | ||
=== MozDef Virtual Reality Interface=== | === MozDef Virtual Reality Interface=== | ||
| Line 65: | Line 62: | ||
=== Mixed content scanning with OWASP ZAP=== | === Mixed content scanning with OWASP ZAP=== | ||
* Mozilla Advisor: [https://mozillians.org/en-US/u/psiinon/ Simon Bennetts] and [https://mozillians.org/en-US/u/jvehent/ Julien Vehent] | * Mozilla Advisor: [https://mozillians.org/en-US/u/psiinon/ Simon Bennetts] and [https://mozillians.org/en-US/u/jvehent/ Julien Vehent] | ||
* Difficulty: | * Difficulty: low | ||
* Language: English | * Language: English | ||
Mixed content is a major blocker in the adoption of HTTPS Everywhere. The goal of this project is to use [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project OWASP ZAP] to scan the internet and identify commonly important resources that do not support HTTPS. The team will then work with Mozilla to help move those resources under HTTPS, and thus fix mixed content issues for large amounts of sites. | Mixed content is a major blocker in the adoption of HTTPS Everywhere. The goal of this project is to use [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project OWASP ZAP] to scan the internet and identify commonly important resources that do not support HTTPS. The team will then work with Mozilla to help move those resources under HTTPS, and thus fix mixed content issues for large amounts of sites. | ||
=== Certificate Automation tooling for Let's Encrypt === | === [https://wiki.mozilla.org/Security/Automation/Winter_Of_Security_2015/Certificate_Automation_tooling_for_Lets_Encrypt Certificate Automation tooling for Let's Encrypt] === | ||
* Mozilla Advisor: [https://mozillians.org/en-US/u/jcjones/ J.C. Jones] and [https://mozillians.org/en-US/u/rbarnes/ Richard Barnes] | * Mozilla Advisor: [https://mozillians.org/en-US/u/jcjones/ J.C. Jones] and [https://mozillians.org/en-US/u/rbarnes/ Richard Barnes] | ||
* Difficulty: hard | * Difficulty: hard | ||
| Line 77: | Line 74: | ||
== FAQ == | == FAQ == | ||
=== What is meant by "Presentation of the University program" in the application form? === | |||
We would like to see what kind of degree your are currently pursuing (e.g. Bachelor of Science in Computer Science or Master of Science in IT Security, ..), as well as a description of the | |||
We would like to see what kind of degree your are currently pursuing (e.g. Bachelor of Science in Computer Science or Master of Science in IT Security, ..), as well as a description of the university itself. This is another data point that gives us more information about the applicants' chances to successfully complete a project. | |||
=== Can students apply to multiple projects? === | |||
Yes. Students can apply to one or more projects. Students cannot apply twice for the same project, even if their team compositions varies. | Yes. Students can apply to one or more projects. Students cannot apply twice for the same project, even if their team compositions varies. | ||
=== What criteria will you use to select the candidates? === | |||
The skills and passion of the team members are key points. The size of the team may play in the favor of applicants, but is not a requirement. A single candidate who can show a portfolio of successful projects will have the same chances as larger teams. | The skills and passion of the team members are key points. The size of the team may play in the favor of applicants, but is not a requirement. A single candidate who can show a portfolio of successful projects will have the same chances as larger teams. | ||
Commitment from the University is a strong requirement. Students need to demonstrate that their professors support them, and will give them time to work on the projects. The ideal situation is for a team to pick a MWoS project as their final thesis, and work on the project for a full semester. Not all students will be able to do so, and we will evaluate all applications with the same level of scrutiny. | Commitment from the University is a strong requirement. Students need to demonstrate that their professors support them, and will give them time to work on the projects. The ideal situation is for a team to pick a MWoS project as their final thesis, and work on the project for a full semester. Not all students will be able to do so, and we will evaluate all applications with the same level of scrutiny. | ||
=== Are multiple universities allowed to collaborate and have a single team? === | |||
Yes. | |||
=== Can I still work on Mozilla projects if I am not selected for MWoS? === | |||
Yes! We continuously have projects that are available for students to grab! Take a look at the [[Security/Mentorship|Mentorship]] program, and reach out to us in the #security IRC channel if you are interested. | Yes! We continuously have projects that are available for students to grab! Take a look at the [[Security/Mentorship|Mentorship]] program, and reach out to us in the #security IRC channel if you are interested. | ||
== Project pages == | |||
<splist | |||
parent= | |||
showparent=no | |||
sort=asc | |||
sortby=title | |||
liststyle=ordered | |||
showpath=no | |||
kidsonly=no | |||
/> | |||
== Media == | == Media == | ||