Security/Meetings/SecurityAssurance/2013-04-16: Difference between revisions
< Security | Meetings | SecurityAssurance
Jump to navigation
Jump to search
(Created page with "{{SecAssuranceMeetingInfo}} {{TOC right}}") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{SecAssuranceMeetingInfo}} | {{SecAssuranceMeetingInfo}} | ||
{{TOC right}} | {{TOC right}} | ||
=Agenda= | |||
* [curtisk] fuzzing meetup during team meeting | |||
** Tue/Wed/Thu | |||
** if Wed do we want to invite outsiders along on the evenings festivities | |||
*** if no then I propose Thu as the date for them to come in and meet with us | |||
* First draft of Q1 summary - https://mana.mozilla.org/wiki/display/SECURITY/2013+-+Q1+Goals | |||
** Additional graphs will be added | |||
* Q2 Goals | |||
** https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdHU3a2lJRV8xckZXclZJdkNlN3dUYVE&usp=sharing | |||
* [decoder] Future of code coverage for tests | |||
** Broke in Feb. Should I spend time getting it to work again, or should I say it's SEP? | |||
*** The current setup is a Rube Goldberg machine. Because it's such a hack, it's hard to maintain. ATeam or RelEng would be in a better place to maintain something like this. | |||
*** Developers keep asking about it. | |||
* [dveditz] Are we tracking "improve the platform to support games better" (vlad's push) as a key initiative worthy of being a specially tracked goal? | |||
** answer: no | |||
* [st3fan] Minion Stories https://wiki.mozilla.org/Minion_User_Stories | |||
* [st3fan] Stooge http://50.56.178.103:11627/ | |||
* [psiinon] ZAP 2.1.0 release this week (just for info;) | |||
* Are we fuzzing B2G? | |||
** We're testing pieces... | |||
*** Gary is fuzzing touch (orangfuzz) | |||
*** Gary is fuzzing JS engine on ARM | |||
*** decoder is fuzzing JS engine on qemu (userspace/normal qemu) | |||
*** Jesse is hoping to fuzz with OMTC enabled on desktop | |||
*** Christoph is fuzzing IPC and codecs on emulator and device | |||
* Metrics | |||
** https://security-review-statistics.vcap.mozillalabs.com/ | |||
** https://people.mozilla.com/~sarentz/p/dashboard | |||
** Review Security Radar Page - https://wiki.mozilla.org/Security/Radar | |||
=Upcoming Speaking Engagements= | |||
(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks ) | |||
* [psiinon] April 24 ZAP ThreadFix webinar | |||
* | |||
=Planned Blog Posts= | |||
* https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c | |||
* [gkw] Orangfuzz blogpost likely going out today | |||
=Security Review Status (curtisk)= | |||
* Completed in Q1 2013: 66 | |||
https://security-review-statistics.vcap.mozillalabs.com/weekly | |||
=Operations Security Update (Joe Stevensen)= | |||
=Project Updates = | |||
Please add your name to the update so we know who to follow up with | |||
== Firefox Desktop == | |||
== Firefox Mobile == | |||
== Firefox OS == | |||
* [cr] started https://developer.mozilla.org/en-US/docs/Apps/Security_guidelines for Firefox OS app developers and reviewers | |||
** Based on Paul's Google Doc | |||
** Needs reviews | |||
== Firefox Core == | |||
* [gkw] ARM hardware is slowly becoming more feasible for more reliable native fuzzing as they improve over the years | |||
== MarketPlace == | |||
* [cr] started collecting Firefox Market architecture information (rforbes, kang, oremj, more...) | |||
** Required for planning improving and augmenting the review process | |||
** So far not centrally documented, lots of running. | |||
** Input appreciated if you know details on the hosts, databases and webapps involved in the Firefox Market as well as the review and signing process. | |||
== Web Apps == | |||
== Services == | |||
== Operation Security == | |||
Latest revision as of 21:06, 16 April 2013
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- [curtisk] fuzzing meetup during team meeting
- Tue/Wed/Thu
- if Wed do we want to invite outsiders along on the evenings festivities
- if no then I propose Thu as the date for them to come in and meet with us
- First draft of Q1 summary - https://mana.mozilla.org/wiki/display/SECURITY/2013+-+Q1+Goals
- Additional graphs will be added
- Q2 Goals
- [decoder] Future of code coverage for tests
- Broke in Feb. Should I spend time getting it to work again, or should I say it's SEP?
- The current setup is a Rube Goldberg machine. Because it's such a hack, it's hard to maintain. ATeam or RelEng would be in a better place to maintain something like this.
- Developers keep asking about it.
- Broke in Feb. Should I spend time getting it to work again, or should I say it's SEP?
- [dveditz] Are we tracking "improve the platform to support games better" (vlad's push) as a key initiative worthy of being a specially tracked goal?
- answer: no
- [st3fan] Minion Stories https://wiki.mozilla.org/Minion_User_Stories
- [st3fan] Stooge http://50.56.178.103:11627/
- [psiinon] ZAP 2.1.0 release this week (just for info;)
- Are we fuzzing B2G?
- We're testing pieces...
- Gary is fuzzing touch (orangfuzz)
- Gary is fuzzing JS engine on ARM
- decoder is fuzzing JS engine on qemu (userspace/normal qemu)
- Jesse is hoping to fuzz with OMTC enabled on desktop
- Christoph is fuzzing IPC and codecs on emulator and device
- We're testing pieces...
- Metrics
Upcoming Speaking Engagements
(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )
- [psiinon] April 24 ZAP ThreadFix webinar
Planned Blog Posts
- https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c
- [gkw] Orangfuzz blogpost likely going out today
Security Review Status (curtisk)
- Completed in Q1 2013: 66
https://security-review-statistics.vcap.mozillalabs.com/weekly
Operations Security Update (Joe Stevensen)
Project Updates
Please add your name to the update so we know who to follow up with
Firefox Desktop
Firefox Mobile
Firefox OS
- [cr] started https://developer.mozilla.org/en-US/docs/Apps/Security_guidelines for Firefox OS app developers and reviewers
- Based on Paul's Google Doc
- Needs reviews
Firefox Core
- [gkw] ARM hardware is slowly becoming more feasible for more reliable native fuzzing as they improve over the years
MarketPlace
- [cr] started collecting Firefox Market architecture information (rforbes, kang, oremj, more...)
- Required for planning improving and augmenting the review process
- So far not centrally documented, lots of running.
- Input appreciated if you know details on the hosts, databases and webapps involved in the Firefox Market as well as the review and signing process.