SecurityEngineering/2013: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "2013 Security and Privacy Engineering team strategy = Overview = The Security and Privacy Engineering team is tasked with building secure operation and user sovereignty into th...")
 
 
(13 intermediate revisions by one other user not shown)
Line 1: Line 1:
2013 Security and Privacy Engineering team strategy
Working towards our team [[SecurityEngineering/Strategy|Strategy]], this is what we will work towards in 2013.


= Overview =
== Make Firefox More Secure ==
* Evangelism: Larissa's airmo talk on secure UX design [https://code.google.com/p/chromium/issues/detail?id=170453 was picked up by chromium]
* Implement: [[FoxInABox|Sandboxing]] on Linux and E10S ({{bug|653064}})
* Implement: Click-To-Play plugins for Firefox ({{bug|738698}})
* Implement/Evangelize: CSP 1.0 for Firefox platform ({{bug|663566}})
* Implement/Evangelize: Mixed Content Blocker ({{bug|815321}})
* Implement: Application Reputation (anti-malware) ({{bug|662819}})
* Implement/Evangelize: Site security error reporting (web console) {{bug|863874}}


The Security and Privacy Engineering team is tasked with building secure operation and user sovereignty into the web platform and also leveraging the open web to bring these attributes to more environments.
== Build Security and Privacy into Mobile ==
* Consult: [[Apps/Security|B2G App Security Model]]
* Implement: CSP for apps on B2G ({{bug|773891}})
* Implement: App signing for marketplace/B2G ({{bug|772365}})


The open web is powerful; the huge number of people working on web standards and software is astonishing, and the rapid advancement of new businesses and technologies online magnifies the need for advances in mechanisms that enable secure systems and users' control over their presence online.
== Improve User Control Over How Their Information is Shared and Used ==
* Implement/Evangelize: Third Party Cookie blocking {{bug|818430}}, though evolving, will improve control
* Research: [http://www.mozilla.org/en-US/collusion/ Collusion project] improved transparency and generated buzz
* Research: [https://dnt-dashboard.mozilla.org DNT statistics] made available by the web
* Research: [[Security/Contextual_Identity_Project|Contextual identity]] work. (Blushproof, paper)
* Consult: Cookie Clearinghouse


= Plan =
== Build Security into Web Communications ==
 
* Research: Web Crypto
To build the impact of our team, we should focus on four top-level activities:
* Implement: Certificate Revocation upgrades
 
* Implement: Rewrite certificate verification library ({{bug|878932}})
1.  Share our Knowledge
* Implement: Certificate key pinning ({{bug|744204}})
2.  Research new Ideas
* Research/Evangelize/Implement: [https://wiki.mozilla.org/CA:CertificatePolicyV2.1 Certificate Policy] to raise the bar on intermediate CAs
3.  Consult on Architecture and Design
* Research/Implement: [https://addons.mozilla.org/en-US/firefox/addon/password-knight/ Password Knight]
4.  Implement and Deploy
* Research/Implement: [[Security/Features/SSL_Error_Reporting|Certificate error reporting]]
 
A clear and focused approach to expanding our team's impact in these four areas will lead to a broader connection to the community, more potential for impact, and a safer web.
 
== Share our Knowledge ==
Our team does lots of great stuff.  It's important to tell everyone what we're doing for a variety of reasons. 
 
First, it helps build relevance and a reputation for doing lots of great stuff within the organization; with relevance, we can once again drum up support in taking a leadership position on privacy and security.  We have a good story to tell, and need to tell it.
 
Second, it helps build Mozilla.  When we excite the Mozilla community (and the world) about the work we're doing, they'll likely find ways to tie their work into our goal of making the web a safer place.  Volunteers who see our progress and mission are more likely to pitch in if they can identify ways to leverage their strengths in our favor.  Bloggers will be more aware of what we're doing and have a chance to talk about it.  We should maximize the number of people who know what Mozilla stands for and why security and privacy are core to making it *your web*.
 
Third, it builds our team's core strength.  We all feel like we're making an impact, but coming together as a team and telling the story builds excitement and drive.  We can feel more comfortable we're doing the right thing when we tell our story and hear from Mozilla and the world what we're doing right, and what else should be done.  Mozilla draws its power from the community -- much of this is community support in the work we do.  We don't just have a few spokespeople: we have avid fans and supporters all around the world.  They should be armed with knowledge of our work and with the power to help guide it.
 
Communication comes in many forms, including blogging, public talks, brown bags, paper publications, guest lectures, seminars or hackathons, outreach and networking, panel participation, policymaker education, and more.  We need to reach out into all the social circles concerned with web security and privacy to obtain guidance and exhibit what we do.
 
== Research new Ideas ==
Web security and privacy is a field full of huge problems.  We don't fully understand them, especially when there are sociological or psychological elements involved.  As such, we need to approach security and privacy from two sides: (1) understand peoples mental models and adapt our work to suit them and (2) coming up with new, innovative features and products -- that may or may not be feasible.  Research is not only a process through which we can reach understanding of the world's needs, but also a way for us to engage with inventors and academic circles to bring the latest and greatest to the web.
 
== Consult on Architecture and Design ==
We've built a core of strong security and privacy thought-leaders that can help guide the architecture of Mozilla's offerings to include security and privacy as core tenets.  We must engage with other teams to help them build in these attributes as they're designing the architecture of their products.  This may involve contributing a threat model or secure design to a team's project, helping in the design phase to make sure our privacy principles are held up in the new project, or by designing and standardizing new web technologies that enhance the security and privacy of the web platform.
 
== Implement and Deploy ==
Communication, Research and Architecture are all necessary efforts, but in order to spread security and privacy throughout the web, we must follow through and deploy software that assuredly acts under the control of its operator.  To do this we write, deploy and maintain software or modules of software across the products in Mozilla; but we also encourage others to participate in this practice.  By example, and by encouraging others to think about security and privacy while writing and deploying software, we can make Mozilla software and web properties best at keeping a user in control.
 
= Major Efforts =
We have undertaken and are currently working on many projects towards all four themes:
 
Share our Knowledge:
* Roadmaps BrownBag
* Security & Privacy Blog entries
* Conference speaking/attendance (bsides, OWASP, SOUPS, etc)
 
Research New Ideas:
* Identity Watchdog (Passwords)
* Support User Profile Pilot
 
Consult on Architecture and Design:
* B2G Security & Privacy Model
* Process Sandboxing
* Content Security Policy
* Do Not Track
 
Implement and Deploy:
* Click to Play
* Content Security Policy
 
And moving forward we will continue to execute on all four of these themes.
 
(TODO: fill these out with the plan for 2013)
Share our Knowledge:
* Help lead a hackathon
 
Research New Ideas:
* Contextual Identity Phase 2: Identify use cases and build a roadmap
 
Consult on Architecture and Design:
* Identify and obtain buy-in for Sandboxing strategy
 
Implement and Deploy:

Latest revision as of 18:34, 19 June 2013

Working towards our team Strategy, this is what we will work towards in 2013.

Make Firefox More Secure

Build Security and Privacy into Mobile

Improve User Control Over How Their Information is Shared and Used

  • Implement/Evangelize: Third Party Cookie blocking bug 818430, though evolving, will improve control
  • Research: Collusion project improved transparency and generated buzz
  • Research: DNT statistics made available by the web
  • Research: Contextual identity work. (Blushproof, paper)
  • Consult: Cookie Clearinghouse

Build Security into Web Communications

Retrieved from "https://wiki.allizom.org/index.php?title=SecurityEngineering/2013&oldid=668652"