|
|
| Line 1: |
Line 1: |
| Welcome to the Mozilla Security wiki. | | '''STATUS: MOCKUP / DRAFT''' |
| | Welcome to the Mozilla Security wiki. |
|
| |
|
| === Security-related bugs ===
| | ===How To Find Us=== |
| * [[Security Severity Ratings]]
| |
| * [http://www.mozilla.org/security/#For_Developers How to report a security issue]
| |
| * [[Security/FixMe|Want to fix a security bug? Here is a list of old thorny bugs you can take on.]]
| |
| | |
| ===Engaging with Security===
| |
| ====How To Find Us====
| |
| Lot's of options, we're here to help: | | Lot's of options, we're here to help: |
| * [mailto:Security@mozilla.org Security@mozilla.org] - email us any questions, concerns, etc | | * [mailto:Security@mozilla.org Security@mozilla.org] - email us any questions, concerns, etc |
| Line 15: |
Line 10: |
| * Attend a [[Security/Talks | Security Talk]] given by one of the security team | | * Attend a [[Security/Talks | Security Talk]] given by one of the security team |
|
| |
|
| ====Security reviews for new features/products/applications==== | | === Security-related bugs === |
| | * [[Security Severity Ratings]] |
| | * [http://www.mozilla.org/security/#For_Developers How to report a security issue] |
| | * [[Security/FixMe|Want to fix a security bug? Here is a list of old thorny bugs you can take on.]] |
| | |
| | |
| | ===[[Security/Reviews|Security Reviews]]=== |
| ''Main Article: [[Security/Reviews]]'' | | ''Main Article: [[Security/Reviews]]'' |
| * Find past reviews by [https://wiki.mozilla.org/Category:SecReview Category:SecReview] | | * Need a security review or to find the documentation of completed reviews? This is what your looking for. |
| ====The Mozilla Secure Development Lifecycle ====
| |
| * Understand the [[Security/Reviews/Secure Development Lifecycle | Secure Development Lifecycle]] used to secure our new features/products/applications
| |
| * Information on Bugzilla and the [[Security/Reviews/Bugzilla Components| Security Assurance Component]]
| |
| ====Security Bug Processes ====
| |
| * [[Security/Bug_Approval_Process|Approval for Landing Security Bugs]]
| |
| * [[Security/Web_Bug_Rotation|Web Bug Verification Rotation]]
| |
|
| |
|
| ====Request a Security or Privacy Review ====
| | ** [https://bugzilla.mozilla.org/form.moz-project-review Project Kick-Off Form] |
| * Complete the questions at the following page to provide the basic info to kickstart a security or privacy review | | ** [[Security/Reviews/Review Request Form | Security & Privacy Review Request Form]] |
| * We'll create and link the corresponding wiki page within the [[Security/Radar|Security Radar]] | | ** Find past reviews by [https://wiki.mozilla.org/Category:SecReview Category:SecReview] |
| * [[Security/Reviews/Review Request Form | Security & Privacy Review Request Form]] | | ''To be moved under this page:'' |
| ====[[Security/Radar|Security Radar]]====
| | * [[Security/Radar|Security Radar]] |
| | {| class="wikitable collapsible collapsed" style="width: 100%" |
| | ! Unlinked Reviews |
| | |- |
| | | |
| | * [[Security/Reviews/Mobile/AndroidSystemStorage| Android System Storage]] |
| | * [[Security/Firefox/WebAPI/WebBattery| WebBattery]] |
| | * [[Security/Reviews/BrowserIDCAPI| BrowserID C API]] |
| | * [[Security/Reviews/crossoriginAttribute|Add crossorigin attribute]] |
| | * [[Security/Reviews/Firefox10/SyncDialogue|Sync Dialogue]] |
| | * [[Security/Reviews/JetPack2011-20/12 | JetPack 2011-10-12]] |
| | * [[Security/Reviews/XHRnonpost| XHR non-post rewrite]] |
| | * [[Security/Reviews/StubInstaller|Stub Installer]] |
| | * [[Labs/Weave/Sync Client Security Review|Sync Client]] |
| | * [[Firefox Sync/Weave 1.3b5 Client Security Review|Weave 1.3b5 Client]] |
| | * [[Security/Reviews/DNSSEC-TLS|DNSSEC-TLS]] |
| | * [[Security/Reviews/OWA-F1|Web Activities & F1]] |
| | * [[Security/Reviews/ReviewNotes/MouseLock|MouseLock]] |
| | * [[Security/Reviews/ReviewNotes/Joystick|Joystick]] |
| | |} |
| | |
| | {| class="wikitable collapsible collapsed" style="width: 100%" |
| | ! Unlinked Discussions |
| | |- |
| | | |
| | * [[Security/Discussions/WebRTC|WebRTC]] |
| | |} |
|
| |
|
| {| class="wikitable collapsible collapsed" style="width: 100%"
| | ===[[Security/Process|Security Process Documents]]=== |
| ! Unlinked Reviews
| | ''Main Article: [[Security/Process]]'' |
| |-
| | * Need a security approval? Looking for the documentation on how we do what we do? Look no further! |
| |
| |
| * [[Security/Reviews/Mobile/AndroidSystemStorage| Android System Storage]]
| |
| * [[Security/Firefox/WebAPI/WebBattery| WebBattery]]
| |
| * [[Security/Reviews/BrowserIDCAPI| BrowserID C API]]
| |
| * [[Security/Reviews/crossoriginAttribute|Add crossorigin attribute]] | |
| * [[Security/Reviews/Firefox10/SyncDialogue|Sync Dialogue]]
| |
| * [[Security/Reviews/JetPack2011-20/12 | JetPack 2011-10-12]]
| |
| * [[Security/Reviews/XHRnonpost| XHR non-post rewrite]]
| |
| * [[Security/Reviews/StubInstaller|Stub Installer]]
| |
| * [[Labs/Weave/Sync Client Security Review|Sync Client]]
| |
| * [[Firefox Sync/Weave 1.3b5 Client Security Review|Weave 1.3b5 Client]]
| |
| * [[Security/Reviews/DNSSEC-TLS|DNSSEC-TLS]]
| |
| * [[Security/Reviews/OWA-F1|Web Activities & F1]]
| |
| * [[Security/Reviews/ReviewNotes/MouseLock|MouseLock]]
| |
| * [[Security/Reviews/ReviewNotes/Joystick|Joystick]]
| |
| |}
| |
|
| |
|
| {| class="wikitable collapsible collapsed" style="width: 100%"
| | ''To be moved under this page/area: |
| ! Unlinked Discussions
| | * [[Security/Bug_Approval_Process|Approval for Landing Security Bugs]] |
| |- | | * [[Security/Web_Bug_Rotation|Web Bug Verification Rotation]] |
| | | | * Understand the [[Security/Reviews/Secure Development Lifecycle | Secure Development Lifecycle]] used to secure our new features/products/applications |
| * [[Security/Discussions/WebRTC|WebRTC]] | | * Information on Bugzilla and the [[Security/Reviews/Bugzilla Components| Security Assurance Component]]'' |
| |} | |
|
| |
|
| ===Security Feature Development===
| |
| We build secure operation and user sovereignty into the web platform and leverage the open web to bring these attributes to more environments. Check out the [[SecurityEngineering]] page for more info!
| |
|
| |
|
| === Security Initiatives === | | ===[SecurityEngineering|Security Feature Development]]=== |
| | [[SecurityEngineering|Security Engineering]] |
| | * We build secure operation and user sovereignty into the web platform and leverage the open web to bring these attributes to more environments. |
|
| |
|
| *[[Security/TeamEmbedding]]
| | ===[[Security/Initiateves|Security Initiatives]]=== |
| *Prioritizing and driving non-feature work: [[Security/Driving]]
| | [[Security/Initiateves|Security Initiatives]] |
| | * Initiatevs the security team is currently working on or has worked on in the past (ie. Embedding and Champions) |
|
| |
|
| === Security Resources and Blogs === | | === Security Resources and Blogs === |
| | [[Security/Resources|Mozilla Resources]] |
| | [[Security/OtherSecurityResources|Other Resources]] |
|
| |
|
| ==== Mozilla Official Sites ==== | | ===[[Security/Meetings|Security Meeting Notes]]=== |
| * [http://www.mozilla.org/security Mozilla Security Center]
| | [[Security/Meetings|Meetings]] |
| * [http://developer.mozilla.org/en/Security Mozilla security developer docs]
| |
| * [[CA|Mozilla CA Root Program]]
| |
| * [http://blog.mozilla.com/security Mozilla Security blog]
| |
| * [http://blog.mozilla.com/webappsec Mozilla WebApp Sec Blog]
| |
| * [https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines Secure Coding Guidelines for Webapps]
| |
| | |
| ==== Personal Security Related Blogs of Mozillians ====
| |
| * [http://blog.mozilla.com/ladamski Lucas Adamski's blog]
| |
| * [http://blog.sidstamm.com Sid Stamm's blog]
| |
| * [https://spartiates.wordpress.com/ Curtis Koenig's blog]
| |
| * [http://www.squarefree.com/ Jesse Ruderman's blog] ([http://www.squarefree.com/categories/fuzzing/ fuzzing entries], [http://www.squarefree.com/categories/security/ security entries])
| |
| * [http://michael-coates.blogspot.com/ Michael Coates]
| |
| * [http://blog.mozilla.com/imelven Ian Melven's Mozilla/Security blog]
| |
| * [http://blog.mozilla.com/decoder Christian Holler's blog (decoder)]
| |
| | |
| ==== Twitter Accounts of Security Mozillians ====
| |
| * [https://twitter.com/mozsec Mozilla Security]
| |
| * [https://twitter.com/mozwebsec Mozilla Web Security]
| |
| * [https://twitter.com/jruderman Jesse Ruderman]
| |
| * [https://twitter.com/curtisko Curtis Koenig] (all kinds of random stuff)
| |
| * [https://twitter.com/_mwc Michael Coates]
| |
| * [https://twitter.com/flamsmark Tom Lowenthal] (privacy)
| |
| * [https://twitter.com/securitae Lucas Adamski]
| |
| * [https://twitter.com/alexanderfowler Alex Fowler]
| |
| * [https://twitter.com/ygjb Yvan Boily]
| |
| * [https://twitter.com/dveditz Daniel Veditz]
| |
| * [https://twitter.com/gh_rooster Raymond Forbes]
| |
| * [https://twitter.com/openbuddha Al Billings] (but mostly Buddhist and Hackerspace tweets)
| |
| * [https://twitter.com/imelven Ian Melven]
| |
| * [https://twitter.com/kangsterizer Guillaume Destuynder]
| |
| * [https://twitter.com/jstevensen Joe Stevensen]
| |
| * [https://twitter.com/nth10sd Gary Kwong] (all sorts of stuff)
| |
| * [https://twitter.com/mozdeco Christian Holler (decoder)]
| |
| * [https://twitter.com/neoCrimeLabs Michael Henry (tinfoil)]
| |
| * [https://twitter.com/tanvihacks Tanvi Vyas]
| |
| * [https://twitter.com/psiinon Simon Bennetts (psiinon)]
| |
| * [https://twitter.com/matthewdfuller Matt Fuller (mfuller)]
| |
| * [https://twitter.com/0x7eff Jeff Bryner (jeff)]
| |
| | |
| ==== OWASP Projects and chapters ====
| |
| The Mozilla Security team is heavily involved with [https://www.owasp.org/ OWASP]:
| |
| * [https://www.owasp.org/index.php/User:MichaelCoates Michael Coates] - OWASP Chair
| |
| * [https://www.owasp.org/index.php/User:Curtis_Koenig Curtis Koenig] - [https://www.owasp.org/index.php/Louisville Louisville] Chapter leader
| |
| * [https://www.owasp.org/index.php/User:Mark_Goodwin Mark Goodwin] - [https://www.owasp.org/index.php/East_Midlands East Midlands] Chapter leader
| |
| * Raymond Forbes - [https://www.owasp.org/index.php/Seattle Seattle] Chapter leader
| |
| * [https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts] - [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project ZAP] Project leader and [https://www.owasp.org/index.php/Manchester Manchester] Chapter leader
| |
| * [https://www.owasp.org/index.php/User:Yvan_Boily Yvan Boily] - [https://www.owasp.org/index.php/Vancouver Vancouver] Chapter leader
| |
| Mozilla Security team members also frequently talk at OWASP chapter meetings and conferences.
| |
| | |
| ==== Non-Mozilla Resources (blogs, news sites, twitter, tools) ====
| |
| * [[Security/OtherSecurityResources| Other Security Resources]]
| |
| | |
| <h3>Stuff that needs to be merged into this page properly</h3>
| |
| | |
| === Meeting Notes ===
| |
| {| class="wikitable collapsible collapsed" style="width: 100%"
| |
| ! Meetings
| |
| |-
| |
| |
| |
| * [[Security/Meetings/SecurityAssurance|Security Assurance]]
| |
| * [[Security/AppSecBiweekly|AppSec Bi Weelky]]
| |
| | |
| {| class="wikitable collapsible collapsed" style="width: 100%"
| |
| ! SecTeam Meetings 2012
| |
| |-
| |
| |
| |
| * [[Security/Meetings/2012-02-01|2012-02-01]]
| |
| * [[Security/Meetings/2012-01-25|2012-01-25]]
| |
| * [[Security/Meetings/2012-01-18|2012-01-18]]
| |
| * [[Security/Meetings/2012-01-11|2012-01-11]]
| |
| * [[Security/Meetings/2012-01-04|2012-01-04]]
| |
| |}
| |
| {| class="wikitable collapsible collapsed" style="width: 100%"
| |
| ! SecTeam Meetings 2011
| |
| |-
| |
| |
| |
| * [[Security/Meetings/2011-12-28|2011-12-28]]
| |
| * [[Security/Meetings/2011-12-21|2011-12-21]]
| |
| * [[Security/Meetings/2011-12-07|2011-12-14]]
| |
| * [[Security/Meetings/2011-12-07|2011-12-07]]
| |
| * [[Security/Meetings/2011-11-30|2011-11-30]]
| |
| * [[Security/Meetings/2011-11-23|2011-11-23]]
| |
| * [[Security/Meetings/2011-11-16|2011-11-16]]
| |
| * [[Security/Meetings/2011-11-09|2011-11-09]]
| |
| * [[Security/Meetings/2011-11-02|2011-11-02]]
| |
| * [[Security/Meetings/2011-10-26|2011-10-26]]
| |
| * [[Security/Meetings/2011-10-19|2011-10-19]]
| |
| * [[Security/Meetings/2011-10-12|2011-10-12]]
| |
| * [[Security/Meetings/2011-10-05|2011-10-05]]
| |
| * [[Security/Meetings/2011-09-28|2011-09-28]]
| |
| * No meeting on 9/14 (All Hands) or 9/21 (Fuzzing Work Week)
| |
| * [[Security/Meetings/2011-09-07|2011-09-07]]
| |
| * [[Security/Meetings/2011-08-31|2011-08-31]]
| |
| * [[Security/Meetings/2011-08-24|2011-08-24]]
| |
| * [[Security/Meetings/lifecycledisc|Life Cycle discussion]]
| |
| * [[Security/Meetings/2011-08-17|2011-08-17]]
| |
| * [[Security/Meetings/2011-08-10|2011-08-10]]
| |
| * [[Security/Meetings/2011-07-27|2011-07-27]]
| |
| * [[Security/Meetings/2011-07-20|2011-07-20]]
| |
| * [[Security/Meetings/2011-07-13|2011-07-13]]
| |
| * [[Security/Meetings/2011-07-06|2011-07-06]]
| |
| * [[Security/Meetings/2011-06-29|2011-06-29]]
| |
| * [[Security/Meetings/2011-06-22|2011-06-22]]
| |
| * [[Security/Meetings/2011-06-15|2011-06-15]]
| |
| * [[Security/Meetings/2011-06-08|2011-06-08]]
| |
| * [[Security/Meetings/2011-06-01|2011-06-01]]
| |
| |}
| |
| | |
| {| class="wikitable collapsible collapsed" style="width: 100%"
| |
| ! Joint Secteam-Infrasec Meetings 2012
| |
| |-
| |
| |
| |
| * [[Security/Meetings/2012-01-12|2012-01-12]]
| |
| |}
| |
| {| class="wikitable collapsible collapsed" style="width: 100%"
| |
| ! Joint Secteam-Infrasec Meetings 2011
| |
| |-
| |
| |
| |
| | |
| * [[Security/Meetings/2011-12-15|2011-12-15]]
| |
| * [[Security/Meetings/2011-11-17|2011-11-17]]
| |
| * [[Security/Meetings/2011-10-06|2011-10-06]]
| |
| * [[Security/Meetings/2011-09-08|2011-09-08]]
| |
| * [[Security/Meetings/2011-08-25|2011-08-25]]
| |
| * [[Security/Meetings/2011-08-11|2011-08-11]]
| |
| * [[Security/Meetings/2011-07-28|2011-07-28]]
| |
| * [[Security/Meetings/2011-06-16|2011-06-16]]
| |
| |}
| |
| |}
| |