Security/MockUp: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "Welcome to the Mozilla Security wiki. === Security-related bugs === * Security Severity Ratings * [http://www.mozilla.org/security/#For_Developers How to report a sec...")
 
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Welcome to the Mozilla Security wiki.
'''STATUS: MOCKUP / DRAFT'''
Welcome to the Mozilla Security wiki.  
 
'''Purpose:''' Houses process items, team documents, and other “work papers” that we produce in a day to day context.


=== Security-related bugs  ===
* [[Security Severity Ratings]]
* [http://www.mozilla.org/security/#For_Developers How to report a security issue]
* [[Security/FixMe|Want to fix a security bug? Here is a list of old thorny bugs you can take on.]]


===Engaging with Security===
===How To Find Us===
====How To Find Us====
Lot's of options, we're here to help:
Lot's of options, we're here to help:
* [mailto:Security@mozilla.org Security@mozilla.org] - email us any questions, concerns, etc
* [mailto:Security@mozilla.org Security@mozilla.org] - email us any questions, concerns, etc
* Bugzilla Keyword - '''sec-review-needed''' - We triage based on this keyword and will jump in to provide assistance
* Bugzilla flag - '''sec-review''' - We triage based on this flag you don't need to set a target person we'll work that out if you don't know
* '''#security''' on [https://wiki.mozilla.org/IRC IRC]
* '''#security''' on [https://wiki.mozilla.org/IRC IRC]
* File a security/privacy review request via this [https://wiki.mozilla.org/Security/Reviews/Review_Request_Form link]
* File a security/privacy review request via this [https://wiki.mozilla.org/Security/Reviews/Review_Request_Form link]
* Attend a [[Security/Talks | Security Talk]] given by one of the security team
* Attend a [[Security/Talks | Security Talk]] given by one of the security team
==== Other Security Pages====
[https://www.mozilla.org/security www.mozilla.org/security]
* This is the official Mozilla Security page.
**Bug bounty information,advisories, tips for safety and security, information about Mozilla Security-Group


====Security reviews for new features/products/applications====
[https://blog.mozilla.org/security blog.mozilla.org/security]
''Main Article: [[Security/Reviews]]''
* The official blog of Mozilla Security, posts are written by not only Security team members but other involved individuals as well as guests that deal with topics of Mozilla Security.
* Find past reviews by [https://wiki.mozilla.org/Category:SecReview Category:SecReview]
====The Mozilla Secure Development Lifecycle ====
* Understand the [[Security/Reviews/Secure Development Lifecycle | Secure Development Lifecycle]] used to secure our new features/products/applications
* Information on Bugzilla and the [[Security/Reviews/Bugzilla Components| Security Assurance Component]]
====Security Bug Processes ====
* [[Security/Bug_Approval_Process|Approval for Landing Security Bugs]]
* [[Security/Web_Bug_Rotation|Web Bug Verification Rotation]]


====Request a Security or Privacy Review ====
[https://securitywiki.mozilla.org securitywiki.mozilla.org]
* Complete the questions at the following page to provide the basic info to kickstart a security or privacy review
* Houses internal items for client security work
* We'll create and link the corresponding wiki page within the [[Security/Radar|Security Radar]]
* [[Security/Reviews/Review Request Form | Security & Privacy Review Request Form]]
====[[Security/Radar|Security Radar]]====


{| class="wikitable collapsible collapsed" style="width: 100%"
[https://mana.mozilla.org/wiki/display/SECURITY/Home Mana Pages for security]
! Unlinked Reviews
* Houses MoCo only items such as internal process documents or other corporate items that are generally not of interest to the community.
|-
|
* [[Security/Reviews/Mobile/AndroidSystemStorage| Android System Storage]]
* [[Security/Firefox/WebAPI/WebBattery| WebBattery]]
* [[Security/Reviews/BrowserIDCAPI| BrowserID C API]]
* [[Security/Reviews/crossoriginAttribute|Add crossorigin attribute]]
* [[Security/Reviews/Firefox10/SyncDialogue|Sync Dialogue]]
* [[Security/Reviews/JetPack2011-20/12 | JetPack 2011-10-12]]
* [[Security/Reviews/XHRnonpost| XHR non-post rewrite]]
* [[Security/Reviews/StubInstaller|Stub Installer]]
* [[Labs/Weave/Sync Client Security Review|Sync Client]]
* [[Firefox Sync/Weave 1.3b5 Client Security Review|Weave 1.3b5 Client]]
* [[Security/Reviews/DNSSEC-TLS|DNSSEC-TLS]]
* [[Security/Reviews/OWA-F1|Web Activities & F1]]
* [[Security/Reviews/ReviewNotes/MouseLock|MouseLock]]
* [[Security/Reviews/ReviewNotes/Joystick|Joystick]]
|}


{| class="wikitable collapsible collapsed" style="width: 100%"
===[[SecurityEngineering|Security Feature Development]]===
! Unlinked Discussions
|-
|
* [[Security/Discussions/WebRTC|WebRTC]]
|}


===Security Feature Development===
At Mozilla, we build secure operation and user sovereignty into the web platform and leverage the open web to bring these attributes to more environments.
We build secure operation and user sovereignty into the web platform and leverage the open web to bring these attributes to more environments. Check out the [[SecurityEngineering]] page for more info!


=== Security Initiatives  ===
We focus hard on ways to improve the privacy and security of all web users, in a Mozilla way that engages the community in our design and implementation decisions. These priorities are reflected in the projects this team manages, public evangelism and participation in relevant standards bodies to maximize adoption of new privacy & security mechanisms.


*[[Security/TeamEmbedding]]
For more information and how to participate: [[SecurityEngineering|Security Engineering]]
*Prioritizing and driving non-feature work: [[Security/Driving]]
=== Security-related bugs  ===
* [[Security Severity Ratings]]  
* [http://www.mozilla.org/security/#For_Developers How to report a security issue]
* [[Security/FixMe|Want to fix a security bug? Here is a list of old thorny bugs you can take on.]]


=== Security Resources and Blogs ===


==== Mozilla Official Sites ====
===[[Security/Reviews|Security Reviews]]===
* [http://www.mozilla.org/security Mozilla Security Center]
''Main Article: [[Security/Reviews]]''
* [http://developer.mozilla.org/en/Security Mozilla security developer docs]
* Need a security review or to find the documentation of completed reviews? This is what your looking for.
* [[CA|Mozilla CA Root Program]]
* [http://blog.mozilla.com/security Mozilla Security blog]
* [http://blog.mozilla.com/webappsec Mozilla WebApp Sec Blog]
* [https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines Secure Coding Guidelines for Webapps]


==== Personal Security Related Blogs of Mozillians ====
** [https://bugzilla.mozilla.org/form.moz-project-review Project Kick-Off Form]
* [http://blog.mozilla.com/ladamski Lucas Adamski's blog]
** [[Security/Reviews/Review Request Form | Security & Privacy Review Request Form]]
* [http://blog.sidstamm.com Sid Stamm's blog]
** Find past reviews by [https://wiki.mozilla.org/Category:SecReview Category:SecReview]
* [https://spartiates.wordpress.com/ Curtis Koenig's blog]
''To be moved under this page:''
* [http://www.squarefree.com/ Jesse Ruderman's blog] ([http://www.squarefree.com/categories/fuzzing/ fuzzing entries], [http://www.squarefree.com/categories/security/ security entries])
* [[Security/Radar|Security Radar]]
* [http://michael-coates.blogspot.com/ Michael Coates]
{| class="wikitable collapsible collapsed" style="width: 100%"
* [http://blog.mozilla.com/imelven Ian Melven's Mozilla/Security blog]
! Unlinked Reviews
* [http://blog.mozilla.com/decoder Christian Holler's blog (decoder)]
|-
|
* [[Security/Reviews/Mobile/AndroidSystemStorage| Android System Storage]]
* [[Security/Firefox/WebAPI/WebBattery| WebBattery]]
* [[Security/Reviews/BrowserIDCAPI| BrowserID C API]]
* [[Security/Reviews/crossoriginAttribute|Add crossorigin attribute]]
* [[Security/Reviews/Firefox10/SyncDialogue|Sync Dialogue]]
* [[Security/Reviews/JetPack2011-20/12 | JetPack 2011-10-12]]
* [[Security/Reviews/XHRnonpost| XHR non-post rewrite]]
* [[Security/Reviews/StubInstaller|Stub Installer]]
* [[Labs/Weave/Sync Client Security Review|Sync Client]]
* [[Firefox Sync/Weave 1.3b5 Client Security Review|Weave 1.3b5 Client]]
* [[Security/Reviews/DNSSEC-TLS|DNSSEC-TLS]]
* [[Security/Reviews/OWA-F1|Web Activities & F1]]
* [[Security/Reviews/ReviewNotes/MouseLock|MouseLock]]
* [[Security/Reviews/ReviewNotes/Joystick|Joystick]]
|}
{| class="wikitable collapsible collapsed" style="width: 100%"
! Unlinked Discussions
|-
|
* [[Security/Discussions/WebRTC|WebRTC]]
|}


==== Twitter Accounts of Security Mozillians ====
===[[Security/Process|Security Process Documents]]===
* [https://twitter.com/mozsec Mozilla Security]
''Main Article: [[Security/Process]]''
* [https://twitter.com/mozwebsec Mozilla Web Security]
* Need a security approval? Looking for the documentation on how we do what we do? Look no further!
* [https://twitter.com/jruderman Jesse Ruderman]
* [https://twitter.com/curtisko Curtis Koenig] (all kinds of random stuff)
* [https://twitter.com/_mwc Michael Coates]
* [https://twitter.com/flamsmark Tom Lowenthal] (privacy)
* [https://twitter.com/securitae Lucas Adamski]
* [https://twitter.com/alexanderfowler Alex Fowler]
* [https://twitter.com/ygjb Yvan Boily]
* [https://twitter.com/dveditz Daniel Veditz]
* [https://twitter.com/gh_rooster Raymond Forbes]
* [https://twitter.com/openbuddha Al Billings] (but mostly Buddhist and Hackerspace tweets)
* [https://twitter.com/imelven Ian Melven]
* [https://twitter.com/kangsterizer Guillaume Destuynder]
* [https://twitter.com/jstevensen Joe Stevensen]
* [https://twitter.com/nth10sd Gary Kwong] (all sorts of stuff)
* [https://twitter.com/mozdeco Christian Holler (decoder)]
* [https://twitter.com/neoCrimeLabs Michael Henry (tinfoil)]
* [https://twitter.com/tanvihacks Tanvi Vyas]
* [https://twitter.com/psiinon Simon Bennetts (psiinon)]
* [https://twitter.com/matthewdfuller Matt Fuller (mfuller)]
* [https://twitter.com/0x7eff Jeff Bryner (jeff)]


==== OWASP Projects and chapters ====
''To be moved under this page/area:
The Mozilla Security team is heavily involved with [https://www.owasp.org/ OWASP]:
* [[Security/Bug_Approval_Process|Approval for Landing Security Bugs]]
* [https://www.owasp.org/index.php/User:MichaelCoates Michael Coates] - OWASP Chair
* [[Security/Web_Bug_Rotation|Web Bug Verification Rotation]]
* [https://www.owasp.org/index.php/User:Curtis_Koenig Curtis Koenig] - [https://www.owasp.org/index.php/Louisville Louisville] Chapter leader
* Understand the [[Security/Reviews/Secure Development Lifecycle | Secure Development Lifecycle]] used to secure our new features/products/applications
* [https://www.owasp.org/index.php/User:Mark_Goodwin Mark Goodwin] - [https://www.owasp.org/index.php/East_Midlands East Midlands] Chapter leader
* Information on Bugzilla and the [[Security/Reviews/Bugzilla Components| Security Assurance Component]]''
* Raymond Forbes - [https://www.owasp.org/index.php/Seattle Seattle] Chapter leader
* [https://www.owasp.org/index.php/User:Simon_Bennetts Simon Bennetts] - [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project ZAP] Project leader and [https://www.owasp.org/index.php/Manchester Manchester] Chapter leader
* [https://www.owasp.org/index.php/User:Yvan_Boily Yvan Boily] - [https://www.owasp.org/index.php/Vancouver Vancouver] Chapter leader
Mozilla Security team members also frequently talk at OWASP chapter meetings and conferences.


==== Non-Mozilla Resources (blogs, news sites, twitter, tools) ====
===[[Security/Initiateves|Security Initiatives]]===
* [[Security/OtherSecurityResources| Other Security Resources]]
[[Security/Initiateves|Security Initiatives]]
* Initiatevs the security team is currently working on or has worked on in the past (ie. Embedding and Champions)


<h3>Stuff that needs to be merged into this page properly</h3>
=== Security Resources and Blogs ===
 
[[Security/Resources|Mozilla Resources]]
=== Meeting Notes ===
[[Security/OtherSecurityResources|Other Resources]]
{| class="wikitable collapsible collapsed" style="width: 100%"
! Meetings
|-
|
* [[Security/Meetings/SecurityAssurance|Security Assurance]]
* [[Security/AppSecBiweekly|AppSec Bi Weelky]]
 
{| class="wikitable collapsible collapsed" style="width: 100%"
! SecTeam Meetings 2012
|-
|
* [[Security/Meetings/2012-02-01|2012-02-01]]
* [[Security/Meetings/2012-01-25|2012-01-25]]
* [[Security/Meetings/2012-01-18|2012-01-18]]
* [[Security/Meetings/2012-01-11|2012-01-11]]
* [[Security/Meetings/2012-01-04|2012-01-04]]
|}
{| class="wikitable collapsible collapsed" style="width: 100%"
! SecTeam Meetings 2011
|-
|
* [[Security/Meetings/2011-12-28|2011-12-28]]
* [[Security/Meetings/2011-12-21|2011-12-21]]
* [[Security/Meetings/2011-12-07|2011-12-14]]
* [[Security/Meetings/2011-12-07|2011-12-07]]
* [[Security/Meetings/2011-11-30|2011-11-30]]
* [[Security/Meetings/2011-11-23|2011-11-23]]
* [[Security/Meetings/2011-11-16|2011-11-16]]
* [[Security/Meetings/2011-11-09|2011-11-09]]
* [[Security/Meetings/2011-11-02|2011-11-02]]
* [[Security/Meetings/2011-10-26|2011-10-26]]
* [[Security/Meetings/2011-10-19|2011-10-19]]
* [[Security/Meetings/2011-10-12|2011-10-12]]
* [[Security/Meetings/2011-10-05|2011-10-05]]
* [[Security/Meetings/2011-09-28|2011-09-28]]
* No meeting on 9/14 (All Hands) or 9/21 (Fuzzing Work Week)
* [[Security/Meetings/2011-09-07|2011-09-07]]
* [[Security/Meetings/2011-08-31|2011-08-31]]
* [[Security/Meetings/2011-08-24|2011-08-24]]
* [[Security/Meetings/lifecycledisc|Life Cycle discussion]]
* [[Security/Meetings/2011-08-17|2011-08-17]]
* [[Security/Meetings/2011-08-10|2011-08-10]]
* [[Security/Meetings/2011-07-27|2011-07-27]]
* [[Security/Meetings/2011-07-20|2011-07-20]]
* [[Security/Meetings/2011-07-13|2011-07-13]]
* [[Security/Meetings/2011-07-06|2011-07-06]]
* [[Security/Meetings/2011-06-29|2011-06-29]]
* [[Security/Meetings/2011-06-22|2011-06-22]]
* [[Security/Meetings/2011-06-15|2011-06-15]]
* [[Security/Meetings/2011-06-08|2011-06-08]]
* [[Security/Meetings/2011-06-01|2011-06-01]]
|}
 
{| class="wikitable collapsible collapsed" style="width: 100%"
! Joint Secteam-Infrasec Meetings 2012
|-
|
* [[Security/Meetings/2012-01-12|2012-01-12]]
|}
{| class="wikitable collapsible collapsed" style="width: 100%"
! Joint Secteam-Infrasec Meetings 2011
|-
|


* [[Security/Meetings/2011-12-15|2011-12-15]]
===[[Security/Meetings|Security Meeting Notes]]===
* [[Security/Meetings/2011-11-17|2011-11-17]]
[[Security/Meetings|Meetings]]
* [[Security/Meetings/2011-10-06|2011-10-06]]
* [[Security/Meetings/2011-09-08|2011-09-08]]
* [[Security/Meetings/2011-08-25|2011-08-25]]
* [[Security/Meetings/2011-08-11|2011-08-11]]
* [[Security/Meetings/2011-07-28|2011-07-28]]
* [[Security/Meetings/2011-06-16|2011-06-16]]
|}
|}

Latest revision as of 15:46, 15 November 2013

STATUS: MOCKUP / DRAFT Welcome to the Mozilla Security wiki.

Purpose: Houses process items, team documents, and other “work papers” that we produce in a day to day context.


How To Find Us

Lot's of options, we're here to help:

  • Security@mozilla.org - email us any questions, concerns, etc
  • Bugzilla flag - sec-review - We triage based on this flag you don't need to set a target person we'll work that out if you don't know
  • #security on IRC
  • File a security/privacy review request via this link
  • Attend a Security Talk given by one of the security team

Other Security Pages

www.mozilla.org/security

  • This is the official Mozilla Security page.
    • Bug bounty information,advisories, tips for safety and security, information about Mozilla Security-Group

blog.mozilla.org/security

  • The official blog of Mozilla Security, posts are written by not only Security team members but other involved individuals as well as guests that deal with topics of Mozilla Security.

securitywiki.mozilla.org

  • Houses internal items for client security work

Mana Pages for security

  • Houses MoCo only items such as internal process documents or other corporate items that are generally not of interest to the community.

Security Feature Development

At Mozilla, we build secure operation and user sovereignty into the web platform and leverage the open web to bring these attributes to more environments.

We focus hard on ways to improve the privacy and security of all web users, in a Mozilla way that engages the community in our design and implementation decisions. These priorities are reflected in the projects this team manages, public evangelism and participation in relevant standards bodies to maximize adoption of new privacy & security mechanisms.

For more information and how to participate: Security Engineering

Security-related bugs


Security Reviews

Main Article: Security/Reviews

  • Need a security review or to find the documentation of completed reviews? This is what your looking for.
To be moved under this page:
* Security Radar

Security Process Documents

Main Article: Security/Process

  • Need a security approval? Looking for the documentation on how we do what we do? Look no further!
To be moved under this page/area:
* Approval for Landing Security Bugs
* Web Bug Verification Rotation
* Understand the  Secure Development Lifecycle used to secure our new features/products/applications 
* Information on Bugzilla and the  Security Assurance Component

Security Initiatives

Security Initiatives

  • Initiatevs the security team is currently working on or has worked on in the past (ie. Embedding and Champions)

Security Resources and Blogs

Mozilla Resources Other Resources

Security Meeting Notes

Meetings

Retrieved from "https://wiki.allizom.org/index.php?title=Security/MockUp&oldid=762173"