Confirmed users
529
edits
Security/Automation/WinterOfSecurity2014: Difference between revisions
Security/Automation/WinterOfSecurity2014 (view source)
Revision as of 13:16, 19 July 2014
, 19 July 2014→Media
(→Media) |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
= Winter Of Security 2014 = | = Winter Of Security 2014 = | ||
The Winter of Security (MWOS) is Mozilla program to involve students with Security projects. Students who have to perform a semester project as part of their university curriculum can apply to one of the MWOS project. Projects are guided by a Mozilla Adviser, and a University Professor. Students are graded by their University, based on success criteria identified at the beginning of the project. Mozilla Advisers allocate up to 2 hours each week to their students, typically on video-conference, to discuss progress and roadblocks. | [[File:WinterOfSecurity_logo_light_horizontal.png|right|500px]] | ||
The Winter of Security (MWOS) is Mozilla's program to involve students with Security projects. Students who have to perform a semester project as part of their university curriculum can apply to one of the MWOS project. Projects are guided by a Mozilla Adviser, and a University Professor. Students are graded by their University, based on success criteria identified at the beginning of the project. Mozilla Advisers allocate up to 2 hours each week to their students, typically on video-conference, to discuss progress and roadblocks. | |||
Projects are focused on building security tools, and students are expected to write code which must be released as Open Source. Universities are free to specify their own requirements to projects, such as written reports. Mozilla does not influence the way grades are allocated, but advisers will provide any information professors need in order to grade their students. | Projects are focused on building security tools, and students are expected to write code which must be released as Open Source. Universities are free to specify their own requirements to projects, such as written reports. Mozilla does not influence the way grades are allocated, but advisers will provide any information professors need in order to grade their students. | ||
| Line 15: | Line 16: | ||
* links to relevant resources (university website, resumes, ...) | * links to relevant resources (university website, resumes, ...) | ||
'''UPDATE: Application to the 2014 edition of Mozilla Winter of Security are now closed.''' | |||
== Timeline == | == Timeline == | ||
| Line 47: | Line 48: | ||
ZAP is the most active OWASP project and was voted the most popular security tool of 2013 by ToolsWatch.org reeaders. It is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential. | ZAP is the most active OWASP project and was voted the most popular security tool of 2013 by ToolsWatch.org reeaders. It is written in Java, so a good knowledge of this language is recommended, as is knowledge of HTML. Some knowledge of application security would be useful, but not essential. | ||
=== Forensic === | === Forensic === | ||
| Line 92: | Line 85: | ||
==== Compliance checking of TLS configuration ==== | ==== Compliance checking of TLS configuration ==== | ||
* Mozilla Advisor: [https://mozillians.org/en-US/u/jvehent/ Julien Vehent] | * Mozilla Advisor: [https://mozillians.org/en-US/u/jvehent/ Julien Vehent] | ||
* difficulty: | * difficulty: medium | ||
* language: english or french | * language: english or french | ||
Mozilla maintains guidelines for [[Security/Server_Side_TLS|server side configurations of SSL/TLS]] that we use to guide the deployment of secure channels everywhere. The goal of this project is to build a tool that verifies compliance of a configuration with our guidelines, and help the administrators improve their security. The tool must be able to evaluate the quality of ciphers, detect required features such as OCSP stapling, and evaluate certificates. It is very similar in philosophy to project like SSL Labs and [https://github.com/jvehent/cipherscan Cipherscan], but mixed with a certificate observatory. The end goal is to help administrators reach a better security level, and measure compliance against Mozilla's policies. The team will be free of reusing existing tools, or build a new one from scratch. | Mozilla maintains guidelines for [[Security/Server_Side_TLS|server side configurations of SSL/TLS]] that we use to guide the deployment of secure channels everywhere. The goal of this project is to build a tool that verifies compliance of a configuration with our guidelines, and help the administrators improve their security. The tool must be able to evaluate the quality of ciphers, detect required features such as OCSP stapling, and evaluate certificates. It is very similar in philosophy to project like SSL Labs and [https://github.com/jvehent/cipherscan Cipherscan], but mixed with a certificate observatory. The end goal is to help administrators reach a better security level, and measure compliance against Mozilla's policies. The team will be free of reusing existing tools, or build a new one from scratch. | ||
| Line 115: | Line 108: | ||
It should be very easy to use, and allow the diagrams to be exported in the most common image formats. | It should be very easy to use, and allow the diagrams to be exported in the most common image formats. | ||
The graphical elements of the [https://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx Microsoft Threat Modeling tool] are a good example of the type of functionality required. | The graphical elements of the [https://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx Microsoft Threat Modeling tool] are a good example of the type of functionality required. | ||
== FAQ == | |||
* What is meant by "Presentation of the University program" in the application form? | |||
We would like to see what kind of degree your are currently pursuing (e.g. Bachelor of Science in Computer Science or Master of Science in IT Security, ..), as well as a description of the University itself. This is another data point that gives us more information about the applicants' chances to successfully complete a project. | |||
* Can students apply to multiple projects? | |||
Yes. Students can apply to one or more projects. Students cannot apply twice for the same project, even if their team compositions varies. | |||
* What criteria will you use to select the candidates? | |||
The skills and passion of the team members are key points. The size of the team may play in the favor of applicants, but is not a requirement. A single candidate who can show a portfolio of successful projects will have the same chances as larger teams. | |||
Commitment from the University is a strong requirement. Students need to demonstrate that their professors support them, and will give them time to work on the projects. The ideal situation is for a team to pick a MWoS project as their final thesis, and work on the project for a full semester. Not all students will be able to do so, and we will evaluate all applications with the same level of scrutiny. | |||
* Can I still work on Mozilla projects if I am not selected for MWoS? | |||
Yes! We continuously have projects that are available for students to grab! Take a look at the [[Security/Mentorship|Mentorship]] program, and reach out to us in the #security IRC channel if you are interested. | |||
== Media == | |||
[[File:WinterOfSecurity_logo_light_horizontal.png|400px]] | |||
[[File:WinterOfSecurity_logo_dark_horizontal.png|400px]] | |||
[[File:WinterOfSecurity_logo_light_vertical.png|300px]] | |||
[[File:WinterOfSecurity_logo_dark_vertical2.png|300px]] | |||