Security/Automation/Winter Of Security 2016: Difference between revisions

← Older edit

Security/Automation/Winter Of Security 2016 (view source)

Revision as of 21:30, 7 February 2017

1,663 bytes added , 7 February 2017

→‎Projects: Add links to the NSS projects that were selected

Jcjones

122

edits

@@ Line 1: / Line 1: @@
 = Winter Of Security 2016 =
 [[File:WinterOfSecurity_logo_light_horizontal.png|right|500px]]
-The Winter of Security (MWOS) is Mozilla's program to involve students with Security projects. Students who have to perform a semester project as part of their university curriculum can apply to one of the MWOS project. Projects are guided by a Mozilla Adviser, and a University Professor. Students are graded by their University, based on success criteria identified at the beginning of the project. Mozilla Advisers allocate up to 2 hours each week to their students, typically on video-conference, to discuss progress and roadblocks.
+The Winter of Security (MWOS) is a program organized by [[Security|Mozilla's Security teams]] to involve students with Security projects. Students who have to perform a semester project as part of their university curriculum can apply to one of the MWOS project. Projects are guided by a Mozilla Adviser, and a University Professor. Students are graded by their University, based on success criteria identified at the beginning of the project. Mozilla Advisers allocate up to 2 hours each week to their students, typically on video-conference, to discuss progress and roadblocks.
 Projects are focused on building security tools, and students are expected to write code which must be released as Open Source. Universities are free to specify their own requirements to projects, such as written reports. Mozilla does not influence the way grades are allocated, but advisers will provide any information professors need in order to grade their students.
@@ Line 18: / Line 18: @@
 * links to relevant resources (university website, resumes, ...)
-'''[https://docs.google.com/a/mozilla.com/forms/d/1xI_HySIHTQeAWmyUPmHiEfEe3aIK4NSL9BFFqrOXcxM/viewform Click here to access to application form]'''
+'''[https://docs.google.com/a/mozilla.com/forms/d/e/1FAIpQLSexbSnJQMdeHJDbiXcrIBGcOPlK5EPvDYwldZpreSnXLX6-6Q/viewform Click here to access the application form]'''
+[[File:Mwos application form 2016.png|500px]]
 == Timeline ==
-We will be opening the program for applications on July 15th, closing the application process on August 15th, and announcing results on September 1st.
+We will be opening the program for applications on July 29th, closing the application process on September 15th, and announcing results on September 30th.
 The students and their professor can decide on the timeline, and make sure that it fits well with other classes.
@@ Line 55: / Line 57: @@
 The enhancement would allow ZAP to detect as many forms of authentication as possible and automatically configure them using the existing ZAP functionality.
-=== Plug'n'hack: Support for e10s ===
+=== Plug'n'hack / ringleader: Support for e10s (and more) ===
 * Mentors: [https://mozillians.org/en-US/u/mgoodwin/ Mark Goodwin], [https://mozillians.org/en-US/u/psiinon/ Simon Bennetts]
-=== NSS: Demos ===
+Plug'n'hack is a mechanism for configuring a browser profile to work with security tools. [https://github.com/mozmark/ringleader Ringleader] is a firefox addon implementation of Plug'n'hack that makes it easy to configure Firefox. Since Ringleader was written, there have been major changes to Firefox (most notably, e10s) that prevent the addon from working. We'd like to fix this.
+This project requires familiarity with JavaScript and, optionally, some knowledge of making browser extensions (ideally, firefox add-ons).
+=== [https://wiki.mozilla.org/NSS/Demos NSS: Demos] ===
 * Mentors: [https://mozillians.org/en-US/u/franziskus/ Franziskus Kiefer], [https://mozillians.org/en-US/u/ttaubert/ Tim Taubert], [https://mozillians.org/en-US/u/jcjones/ JC Jones]
@@ Line 71: / Line 77: @@
 This project should identify those problems, fix them, and provide integration for all major HTTP server.
-=== NSS: SHA-3 Implementation ===
+'''Details: '''
+* An Apache module for NSS [https://fedorahosted.org/mod_nss/ exists] but lacks important features such as [https://en.wikipedia.org/wiki/HTTP/2 HTTP/2] support.
+* NGINX lacks TLS module support entirely. We recently started a push to [https://github.com/nginx/nginx/commit/4f578bfcab740fcfbbb8824822803ad9b3f176cc make it agnostic to the used TLS library]. This works has to be continued and requires a new module for NSS.
+This project is ideal for a self-motivated group that prefers an open project definition with lots of freedom to shape directions and outcome of it.
+=== [https://wiki.mozilla.org/NSS/ARGON2 NSS: Blake2 Implementation] ===
 * Mentors: [https://mozillians.org/en-US/u/franziskus/ Franziskus Kiefer], [https://mozillians.org/en-US/u/ttaubert/ Tim Taubert], [https://mozillians.org/en-US/u/jcjones/ JC Jones]
@@ Line 92: / Line 104: @@
 This project would work on improving the scalability and feature set of ssh_scan, a tool for scanning for ssh policy and compliance (mainly attributes found here https://github.com/claudijd/ssh_scan/blob/master/examples/192.168.1.1.json).  This tool is currently open-sourced as more of a prototype tool here (https://github.com/claudijd/ssh_scan).  Current feature gaps include the ability to detect the types of authentication (password/key-based/auth), nmap-style targeting and scanning, and IPv6 support.  Lastly, it might be useful to have some server-side infrastructure components/API developed for this service with a cool front end to assist with scanning/compliance automation.  These are the sorts of things this project team would attempt to solve and deliver during the project window.
-=== OpenSAMM: Security Testing Workflow and Toolchain for Python Websites and Services ===
+=== Security Testing Workflow and Toolchain for Python Websites and Services ===
 * Mentors: [https://mozillians.org/en-US/u/amuntner/ Adam Muntner]
 Manual security reviews are time consuming, expensive, and important for the most critical websites and services. By documenting testing goals, trying to best approximate them, and measuring, we can create an efficient, reusable workflow with known properties and a plan to improve it in the future, a Maturity Model approach.
 The goal of this project is to use Maturity Model approach to create a reusable workflow and toolkit for manual "grey-box" security review of Python websites and services.
-We will create a maturity model that describes the target capabilities of an ideal reusable "grey box" workflow documentation and toolkit, create  one that can be dropped in to an existing test environment such as a Docker and used with minimal configuration,  document what works and what's missing according to the Maturity Model, and create a roadmap for future work.
+We will create a maturity model that describes the target capabilities of an ideal reusable "grey box" workflow documentation and toolkit, test available tools, document what works and what's missing according to the Maturity Model, create a test environment that can be dropped in to an existing test environment such as a Docker and used with minimal configuration,and create a roadmap for future work.
 We will script integration of existing tools and methods to create a reusable test harness that reports testing coverage and supports remote debugging, automate setup to use an IDE to remote debug an application while testing it with Zap proxy, identify the best ways to test for Python-specific issues, make the IDE as tester-friendly as possible, use Python AST visualization to visualize security decisions in code, and making the toolkit as quick to deploy and use as possible, etc. We'll use the toolkit to evaluate complex real-world services like Mozilla Addons.
+Some preparatory work has already begun for this project, the MWOS goal is to move it to a point where it is a usable, ongoing project.
 == FAQ ==
@@ Line 117: / Line 130: @@
 === Are multiple universities allowed to collaborate and have a single team? ===
-Yes.
+Yes. We will ask that students mentored by multiple professors get approval from all of their professors.
 === Can I still work on Mozilla projects if I am not selected for MWoS? ===
@@ Line 135: / Line 148: @@
 == Media ==
+All media files are available under license MPLv2 and can be reused freely.
 [[File:WinterOfSecurity_logo_light_horizontal.png|400px]]