2013 Security and Privacy Engineering team strategy

Overview

The Security and Privacy Engineering team is tasked with building secure operation and user sovereignty into the web platform and also leveraging the open web to bring these attributes to more environments.

The open web is powerful; the huge number of people working on web standards and software is astonishing, and the rapid advancement of new businesses and technologies online magnifies the need for advances in mechanisms that enable secure systems and users' control over their presence online.

Plan

To build the impact of our team, we should focus on four top-level activities:

1. Share our Knowledge
2. Research new Ideas
3. Consult on Architecture and Design
4. Implement and Deploy

A clear and focused approach to expanding our team's impact in these four areas will lead to a broader connection to the community, more potential for impact, and a safer web.

Share our Knowledge

Our team does lots of great stuff. It's important to tell everyone what we're doing for a variety of reasons.

First, it helps build relevance and a reputation for doing lots of great stuff within the organization; with relevance, we can once again drum up support in taking a leadership position on privacy and security. We have a good story to tell, and need to tell it.

Second, it helps build Mozilla. When we excite the Mozilla community (and the world) about the work we're doing, they'll likely find ways to tie their work into our goal of making the web a safer place. Volunteers who see our progress and mission are more likely to pitch in if they can identify ways to leverage their strengths in our favor. Bloggers will be more aware of what we're doing and have a chance to talk about it. We should maximize the number of people who know what Mozilla stands for and why security and privacy are core to making it *your web*.

Third, it builds our team's core strength. We all feel like we're making an impact, but coming together as a team and telling the story builds excitement and drive. We can feel more comfortable we're doing the right thing when we tell our story and hear from Mozilla and the world what we're doing right, and what else should be done. Mozilla draws its power from the community -- much of this is community support in the work we do. We don't just have a few spokespeople: we have avid fans and supporters all around the world. They should be armed with knowledge of our work and with the power to help guide it.

Communication comes in many forms, including blogging, public talks, brown bags, paper publications, guest lectures, seminars or hackathons, outreach and networking, panel participation, policymaker education, and more. We need to reach out into all the social circles concerned with web security and privacy to obtain guidance and exhibit what we do.

Research new Ideas

Web security and privacy is a field full of huge problems. We don't fully understand them, especially when there are sociological or psychological elements involved. As such, we need to approach security and privacy from two sides: (1) understand peoples mental models and adapt our work to suit them and (2) coming up with new, innovative features and products -- that may or may not be feasible. Research is not only a process through which we can reach understanding of the world's needs, but also a way for us to engage with inventors and academic circles to bring the latest and greatest to the web.

Consult on Architecture and Design

We've built a core of strong security and privacy thought-leaders that can help guide the architecture of Mozilla's offerings to include security and privacy as core tenets. We must engage with other teams to help them build in these attributes as they're designing the architecture of their products. This may involve contributing a threat model or secure design to a team's project, helping in the design phase to make sure our privacy principles are held up in the new project, or by designing and standardizing new web technologies that enhance the security and privacy of the web platform.

Implement and Deploy

Communication, Research and Architecture are all necessary efforts, but in order to spread security and privacy throughout the web, we must follow through and deploy software that assuredly acts under the control of its operator. To do this we write, deploy and maintain software or modules of software across the products in Mozilla; but we also encourage others to participate in this practice. By example, and by encouraging others to think about security and privacy while writing and deploying software, we can make Mozilla software and web properties best at keeping a user in control.

Major Efforts

We have undertaken and are currently working on many projects towards all four themes:

Share our Knowledge:

• Roadmaps BrownBag
• Security & Privacy Blog entries
• Conference speaking/attendance (bsides, OWASP, SOUPS, etc)

Research New Ideas:

• Identity Watchdog (Passwords)
• Support User Profile Pilot

Consult on Architecture and Design:

• B2G Security & Privacy Model
• Process Sandboxing
• Content Security Policy
• Do Not Track

Implement and Deploy:

• Click to Play
• Content Security Policy

And moving forward we will continue to execute on all four of these themes.

(TODO: fill these out with the plan for 2013) Share our Knowledge:

• Help lead a hackathon

Research New Ideas:

• Contextual Identity Phase 2: Identify use cases and build a roadmap

Consult on Architecture and Design:

• Identify and obtain buy-in for Sandboxing strategy

Implement and Deploy: