Security/Meetings/SecurityAssurance/2012-05-22: Difference between revisions
< Security | Meetings | SecurityAssurance
Jump to navigation
Jump to search
(Created page with "{{SecAssuranceMeetingInfo}} {{TOC right}}") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{SecAssuranceMeetingInfo}} | {{SecAssuranceMeetingInfo}} | ||
{{TOC right}} | {{TOC right}} | ||
=Agenda= | |||
* Flash Update - https://mana.mozilla.org/wiki/display/INFRASEC/Block+Listing+Flash | |||
** We had a long internal discussion on security-group about protecting users with (very) old versions of Flash. | |||
** Possibilities include a soft block, an even softer "outdated" info bar, and waiting until we ship Firefox 15 with click-to-play (and a fix for https://bugzilla.mozilla.org/show_bug.cgi?id=686335 ?). | |||
* Bugzilla Tips - https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=22381156 | |||
** Queries for the security team, and Bugzilla tricks that are relevant to us | |||
** Why is this private? | |||
*** Open to moving to other location, not sensitive | |||
* Work Week | |||
* [Rforbes] MarketPlace Update | |||
* [Paul] B2G Update | |||
* Security evangelism | |||
** Mark and David are researching Fennec's competitiveness on security and privacy features, especially against the stock Android browser. | |||
* [Yvan] Mentorship | |||
** We're picking out "good first bugs" for web security bugs | |||
* [decoder] Update on ASan builds | |||
* Blackhat / Defcon 2012 update? | |||
** https://wiki.mozilla.org/Security/BlackHat_2012 | |||
* Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals | |||
* Travel: decoder going to HITB tomorrow till Friday (meeting with imelven and Lucas) | |||
* Security comparison | |||
* https://mana.mozilla.org/wiki/display/~mcoates@mozilla.com/Comparison+points | |||
=Security Review Status (koenig)= | |||
* Number of Reviews Completed (so far this quarter): 48 (last week 59) <-- trying to figure out how this went down | |||
** https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 22 (27) | |||
** https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =26 (32) | |||
* Number of Outstanding Reviews: 192 (last week 171) | |||
** https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 51 | |||
** https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 141 | |||
=Project Updates = | |||
Please don't leave blank. Add "No Update" if nothing has changed | |||
==Silent updates (rforbes / dveditz)== | |||
== B2G (Paul Theriault --> & David Chan) == | |||
*(Welcome david!! :) | |||
B2G Starting to be tracked a litle more, making secreview easier to plan | |||
https://docs.google.com/spreadsheet/ccc?key=0AiBigu584YY7dGlNSlY0QzhJb3M5anRBa1gxalV0Y3c#gid=0 | |||
* Gaia now more detailed in the spreadsheet - yvan we should plan external review soom tomorrow | |||
* Meeting with Jlebar this morning to further refine the permissions model | |||
* Gaia hacking day next week? Any interest? | |||
==Thunderbird (Dan Veditz) == | |||
==Rust (Jesse Ruderman) == | |||
==Mobile (David Chan --> Mark Goodwin) == | |||
* no update | |||
==Sync (David Chan --> Simon & Adam) == | |||
* android sync update to beta before end of quarter | |||
==Services (David Chan --> Simon & Adam) == | |||
* tokenserver review underway | |||
* notifications needs review | |||
==Social - Pancake (Mark Goodwin) == | |||
Hoping for limited public release in 2 weeks' time. | |||
Only major worry is around CEF logging - they've implemented a mechanism in tornado for doing this, but work to actually satisfy my logging requirements will take longer than anticipated. They're asking if this is a blocker... | |||
* Not for beta release. Yes for public release | |||
==Jetpack, Add-on SDK, Add-on Builder (Dan Veditz) == | |||
==JS (Christian Holler) == | |||
* IonMonkey fuzzing going on, bug frequency decreasing (horray!). \o/ | |||
* First round of OOM testing on IonMonkey complete | |||
* Differential testing can start soon | |||
==DOM, XPConnect (Jesse Ruderman) == | |||
==Layout, Style (Jesse Ruderman) == | |||
==Automation Tools (Gary Kwong) == | |||
* MozTrap went live to production, thanks to everyone who helped w/ secreviews | |||
* [decoder] domfuzz addon now deployed on Tegras (Fennec Native) for fuzzing | |||
==Web Developer Tools (Mark Goodwin) == | |||
* Busy week; Netmonitor review yesterday (this is looking mostly OK), remote debugger / debugger UI review coming on Thursday. Please attend if possible; debugger exposes powerful functionality. | |||
== Networking (Christoph Diehl) == | |||
* SMS PDU https://bugzilla.mozilla.org/show_bug.cgi?id=741876#c3 | |||
* planning to look at SRTP as soon as SMS is finished to complete WebRTC fuzzing. | |||
== Graphics (Christoph Diehl) === | |||
* VP8 fuzzing as requested by dveditz | |||
== Networking ( Media / Codecs) == | |||
== Market (Raymond Forbes) == | |||
==Firefox APIs (Raymond Forbes) == | |||
* finishing up review of mozApps navigator | |||
==Payment Flow (Raymond Forbes) == | |||
==App Sync (David Chan) == | |||
* client review underway | |||
==Dynamic API Security Model (Raymond Forbes) == | |||
==WebRT (Raymond Forbes) == | |||
==BrowserID (Yvan Boily) == | |||
* RFP Responses in, evaluation upcoming | |||
* Continuing review of sign into browser / browsing context providers | |||
== Identity Services (David Chan --> Yvan Boily / Adam Muntner) == | |||
* no update | |||
==Addons.M.O (Raymond Forbes) == | |||
==Bugzilla.M.O (Mark Goodwin & Eric Parker) == | |||
* Still awaiting some fixes to TellUsMore before I can close out review (but looks good) | |||
* Outstanding whitehat reported bugs - please investigate/triage | |||
==Mozillians (Raymond Forbes) == | |||
==MDN (Raymond Forbes) == | |||
==SUMO (Kitsune) () == | |||
Revision as of 02:41, 23 May 2012
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- Flash Update - https://mana.mozilla.org/wiki/display/INFRASEC/Block+Listing+Flash
- We had a long internal discussion on security-group about protecting users with (very) old versions of Flash.
- Possibilities include a soft block, an even softer "outdated" info bar, and waiting until we ship Firefox 15 with click-to-play (and a fix for https://bugzilla.mozilla.org/show_bug.cgi?id=686335 ?).
- Bugzilla Tips - https://mana.mozilla.org/wiki/pages/viewpage.action?pageId=22381156
- Queries for the security team, and Bugzilla tricks that are relevant to us
- Why is this private?
- Open to moving to other location, not sensitive
- Work Week
- [Rforbes] MarketPlace Update
- [Paul] B2G Update
- Security evangelism
- Mark and David are researching Fennec's competitiveness on security and privacy features, especially against the stock Android browser.
- [Yvan] Mentorship
- We're picking out "good first bugs" for web security bugs
- [decoder] Update on ASan builds
- Blackhat / Defcon 2012 update?
- Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
- Travel: decoder going to HITB tomorrow till Friday (meeting with imelven and Lucas)
- Security comparison
- https://mana.mozilla.org/wiki/display/~mcoates@mozilla.com/Comparison+points
Security Review Status (koenig)
- Number of Reviews Completed (so far this quarter): 48 (last week 59) <-- trying to figure out how this went down
- https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 22 (27)
- https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =26 (32)
- Number of Outstanding Reviews: 192 (last week 171)
** https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 51
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault --> & David Chan)
- (Welcome david!! :)
B2G Starting to be tracked a litle more, making secreview easier to plan https://docs.google.com/spreadsheet/ccc?key=0AiBigu584YY7dGlNSlY0QzhJb3M5anRBa1gxalV0Y3c#gid=0
- Gaia now more detailed in the spreadsheet - yvan we should plan external review soom tomorrow
- Meeting with Jlebar this morning to further refine the permissions model
- Gaia hacking day next week? Any interest?
Thunderbird (Dan Veditz)
Rust (Jesse Ruderman)
Mobile (David Chan --> Mark Goodwin)
- no update
Sync (David Chan --> Simon & Adam)
- android sync update to beta before end of quarter
Services (David Chan --> Simon & Adam)
- tokenserver review underway
- notifications needs review
Social - Pancake (Mark Goodwin)
Hoping for limited public release in 2 weeks' time. Only major worry is around CEF logging - they've implemented a mechanism in tornado for doing this, but work to actually satisfy my logging requirements will take longer than anticipated. They're asking if this is a blocker...
- Not for beta release. Yes for public release
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- IonMonkey fuzzing going on, bug frequency decreasing (horray!). \o/
- First round of OOM testing on IonMonkey complete
- Differential testing can start soon
DOM, XPConnect (Jesse Ruderman)
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
- MozTrap went live to production, thanks to everyone who helped w/ secreviews
- [decoder] domfuzz addon now deployed on Tegras (Fennec Native) for fuzzing
Web Developer Tools (Mark Goodwin)
- Busy week; Netmonitor review yesterday (this is looking mostly OK), remote debugger / debugger UI review coming on Thursday. Please attend if possible; debugger exposes powerful functionality.
Networking (Christoph Diehl)
- SMS PDU https://bugzilla.mozilla.org/show_bug.cgi?id=741876#c3
- planning to look at SRTP as soon as SMS is finished to complete WebRTC fuzzing.
Graphics (Christoph Diehl) =
- VP8 fuzzing as requested by dveditz
Networking ( Media / Codecs)
Market (Raymond Forbes)
Firefox APIs (Raymond Forbes)
- finishing up review of mozApps navigator
Payment Flow (Raymond Forbes)
App Sync (David Chan)
- client review underway
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID (Yvan Boily)
- RFP Responses in, evaluation upcoming
- Continuing review of sign into browser / browsing context providers
Identity Services (David Chan --> Yvan Boily / Adam Muntner)
- no update
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
- Still awaiting some fixes to TellUsMore before I can close out review (but looks good)
- Outstanding whitehat reported bugs - please investigate/triage