WebAppSec: Difference between revisions
| (56 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
= Mozilla Web Application Security = | = Mozilla Web Application Security = | ||
Welcome to the home page for Mozilla Web Application Security. This page will provide security information related to Mozilla hosted web applications and web services. | |||
== Secure Development Guidance == | |||
[ | [[WebAppSec/Web_App_Severity_Ratings|Web Application Security Severity Ratings]] | ||
== Presentations == | [[WebAppSec/Secure_Coding_Guidelines|Secure Coding Guidelines]] | ||
[[WebAppSec/Secure_Coding_QA_Checklist|Secure Coding QA Checklist]] | |||
== Request a Security Review == | |||
Are you releasing a Mozilla web application or service? If so, the Mozilla infrasec team can review the code and running application for security flaws. | |||
[[WebAppSec/Security_Review_Request|Security Review Request]] | |||
[[WebAppSec/Wordpress_Security_Review_Process|Wordpress Theme or Plugin - Security Install Process]] | |||
==Filing a Web Security Bug== | |||
For instructions regarding the use of Bugzilla to file a web security bug, visit: [[WebAppSec/Filing_In_Bugzilla|Filing a Web Security Bug in Bugzilla]] | |||
== Presentations == | |||
Infrastructure security will be presenting on various security topics on a regular basis. These courses are free and open to anyone that would like to attend. For those that are remote, please join us on air.mozilla.org to remotely watch the presentation. | |||
===Schedule-2012=== | |||
===Schedule-2011-Archive=== | |||
===='''April 23, 2011 - Stanford Open Source Bootcamp'''==== | |||
* Topic: Securing Web Applications through Hands On Security Hacking | |||
* Slides: [http://people.mozilla.org/~mcoates/WebAppSec-Training.html Securing Web Applications] | |||
===='''[https://wiki.mozilla.org/WebAppSec/Presentations/2011-07-14-MobileHacking July 14, 2011 - Mobile Hacking]'''==== | |||
* Topic: Blake Turrentine presents Mobile Hacking courseware for BlackHat 2011 | |||
* Time: 6pm-9:30pm Pacific | |||
* Location: Mountain View (10 Forward) (Sorry, no streaming) | |||
* Remote Participation: No, lab element requires in-person attendance | |||
* Limited Space - [https://wiki.mozilla.org/WebAppSec/Presentations/2011-07-14-MobileHacking#RSVP RSVP Required] | |||
===='''July 20, 2011 - Hands-On Hacking Brownbag - Cross Site Scripting''' ==== | |||
* Topic: Cross Site Scripting | |||
* Time: 12pm-1pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via air.mozilla.org | |||
* '''''Important''''' Lab Setup - Please setup your VM test instance prior to the session - [http://people.mozilla.org/~mcoates/WebSecurityLab.html#installation instructions] | |||
* 10 minute online video - [http://www.youtube.com/watch?v=_Z9RQSnf8-g&feature=channel_video_title Cross Site Scripting] | |||
* Archived [http://www.slideshare.net/michael_coates/cross-site-scripting-mozilla-security-learning-center Slides] | |||
===='''August 16, 2011 - Hands-On Hacking Brownbag - SQL Injection'''==== | |||
* Topic: SQL Injection | |||
* Time: 12pm-1pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via [http://air.mozilla.org air.mozilla.org] | |||
* Lab Setup - Please setup your VM test instance prior to the session - [http://people.mozilla.org/~mcoates/WebSecurityLab.html instructions] | |||
* 10 minute online video - [http://www.youtube.com/watch?v=pypTYPaU7mM&feature=channel_video_title Injection Attacks] | |||
* Archived [http://www.slideshare.net/michael_coates/sql-injection-mozilla-security-learning-center Slides] | |||
===='''August 25, 2011 - OWASP Bay Area Chapter Meeting '''==== | |||
* Topic: Application Security Topics | |||
** 6:00 PM - 6:30 PM .............Check-in, registration, networking | |||
** 6:30 PM – 6:35 PM ........... Welcome Remarks/Agenda - Mandeep Khera | |||
** 6:35 PM - 7:45 PM ............ Enabling Browser Security in Web Applications- Michael Coates, Mozilla | |||
** 7:45 PM – 8:30 PM…......... Blackhat spam SEO - Julien Sobrier, Zscaler | |||
* Time: 6pm-9:30pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via [http://air.mozilla.org air.mozilla.org] | |||
* RSVP Required (for in person) [http://www.regonline.com/owaspsiliconvalleychaptermeeting RSVP Here] | |||
===='''September 21, 2011 - CEF Logging for Attack Aware Applications'''==== | |||
* Topic: Implementing CEF logging to improve the security of web based applications | |||
* Time: 12pm-1pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via [http://air.mozilla.org air.mozilla.org] | |||
* Archived Video , Slides - Will be available after the session | |||
===='''December 5, 2011 - Cross-Site Request Forgery and other cross domain technologies'''==== | |||
* Topic: Dealing with CSRF, the talk will also cover Cross-Origin Resource Sharing and the postMessage API | |||
* Time: 12pm-1pm Pacific | |||
* Location: Mountain View (10 Forward) | |||
* Remote Participation: Yes, streaming via [http://air.mozilla.org air.mozilla.org] | |||
* Archived Video , Slides - Will be available after the session | |||
===='''December 14, 2011 - What You See and What You Get - An Attacker's perspective'''==== | |||
* Topic: The talk covers how an attacker views a software system, how that differs from more common perspectives and what that teaches us about how to make secure products | |||
* Time: 5-6pm GMT | |||
* Location: Adsetts Learning Center (room 6619), Sheffield Hallam University, UK | |||
* Remote Participation: No | |||
* Archived Video - to be made available soon | |||
====Future Topics==== | |||
* Future topics: Content Security Policy, Strict Transport Security, Clickjacking & X-Frame-Options | |||
* Hands-On Hacking Classes Planned For Each Month | |||
* Submit an idea for a topic or brownbag to webappsec@mozilla.org | |||
== Security Learning Materials == | |||
=== Online Videos === | |||
* [http://www.youtube.com/user/AppsecTutorialSeries 10 Minute Security Training Videos] (More to come) | |||
** [http://www.youtube.com/watch?v=CDbWvEwBBxo Application Security Basics] | |||
** [http://www.youtube.com/watch?v=pypTYPaU7mM&feature=related Injection Attacks] | |||
** [http://www.youtube.com/watch?v=_Z9RQSnf8-g&feature=channel_video_title Cross Site Scripting] | |||
** Additional videos under development | |||
=== Security Presentations === | |||
* [http://www.slideshare.net/michael_coates/cross-site-scripting-mozilla-security-learning-center Cross Site Scripting Basics] | |||
* [http://www.slideshare.net/michael_coates/sql-injection-mozilla-security-learning-center SQL Injection Basics] | |||
=== Security Guides === | |||
* [https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet XSS Prevention Cheat Sheet] | |||
* [https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet SQL Prevention Cheat Sheet] | |||
=== Good Reads=== | |||
* [https://www.owasp.org/index.php/Top_10_2010 OWASP Top 10 Application Security Risks] | |||
== Mozilla WebAppSec Mailing List == | |||
Interested in discussing web application security concerns and the impact on Mozilla web applications? Then this is the list for you. Please note, this is a public list and is not the appropriate channel to discuss open security vulnerabilities (please file a bug in bugzilla). | |||
webappsec@mozilla.org | |||
https://mail.mozilla.org/listinfo/webappsec | |||
Infrastructure Security Blog - http://blog.mozilla.com/webappsec/ | |||
Latest revision as of 19:39, 20 August 2012
Mozilla Web Application Security
Welcome to the home page for Mozilla Web Application Security. This page will provide security information related to Mozilla hosted web applications and web services.
Secure Development Guidance
Web Application Security Severity Ratings
Request a Security Review
Are you releasing a Mozilla web application or service? If so, the Mozilla infrasec team can review the code and running application for security flaws.
Wordpress Theme or Plugin - Security Install Process
Filing a Web Security Bug
For instructions regarding the use of Bugzilla to file a web security bug, visit: Filing a Web Security Bug in Bugzilla
Presentations
Infrastructure security will be presenting on various security topics on a regular basis. These courses are free and open to anyone that would like to attend. For those that are remote, please join us on air.mozilla.org to remotely watch the presentation.
Schedule-2012
Schedule-2011-Archive
April 23, 2011 - Stanford Open Source Bootcamp
- Topic: Securing Web Applications through Hands On Security Hacking
- Slides: Securing Web Applications
July 14, 2011 - Mobile Hacking
- Topic: Blake Turrentine presents Mobile Hacking courseware for BlackHat 2011
- Time: 6pm-9:30pm Pacific
- Location: Mountain View (10 Forward) (Sorry, no streaming)
- Remote Participation: No, lab element requires in-person attendance
- Limited Space - RSVP Required
July 20, 2011 - Hands-On Hacking Brownbag - Cross Site Scripting
- Topic: Cross Site Scripting
- Time: 12pm-1pm Pacific
- Location: Mountain View (10 Forward)
- Remote Participation: Yes, streaming via air.mozilla.org
- Important Lab Setup - Please setup your VM test instance prior to the session - instructions
- 10 minute online video - Cross Site Scripting
- Archived Slides
August 16, 2011 - Hands-On Hacking Brownbag - SQL Injection
- Topic: SQL Injection
- Time: 12pm-1pm Pacific
- Location: Mountain View (10 Forward)
- Remote Participation: Yes, streaming via air.mozilla.org
- Lab Setup - Please setup your VM test instance prior to the session - instructions
- 10 minute online video - Injection Attacks
- Archived Slides
August 25, 2011 - OWASP Bay Area Chapter Meeting
- Topic: Application Security Topics
- 6:00 PM - 6:30 PM .............Check-in, registration, networking
- 6:30 PM – 6:35 PM ........... Welcome Remarks/Agenda - Mandeep Khera
- 6:35 PM - 7:45 PM ............ Enabling Browser Security in Web Applications- Michael Coates, Mozilla
- 7:45 PM – 8:30 PM…......... Blackhat spam SEO - Julien Sobrier, Zscaler
- Time: 6pm-9:30pm Pacific
- Location: Mountain View (10 Forward)
- Remote Participation: Yes, streaming via air.mozilla.org
- RSVP Required (for in person) RSVP Here
September 21, 2011 - CEF Logging for Attack Aware Applications
- Topic: Implementing CEF logging to improve the security of web based applications
- Time: 12pm-1pm Pacific
- Location: Mountain View (10 Forward)
- Remote Participation: Yes, streaming via air.mozilla.org
- Archived Video , Slides - Will be available after the session
December 5, 2011 - Cross-Site Request Forgery and other cross domain technologies
- Topic: Dealing with CSRF, the talk will also cover Cross-Origin Resource Sharing and the postMessage API
- Time: 12pm-1pm Pacific
- Location: Mountain View (10 Forward)
- Remote Participation: Yes, streaming via air.mozilla.org
- Archived Video , Slides - Will be available after the session
December 14, 2011 - What You See and What You Get - An Attacker's perspective
- Topic: The talk covers how an attacker views a software system, how that differs from more common perspectives and what that teaches us about how to make secure products
- Time: 5-6pm GMT
- Location: Adsetts Learning Center (room 6619), Sheffield Hallam University, UK
- Remote Participation: No
- Archived Video - to be made available soon
Future Topics
- Future topics: Content Security Policy, Strict Transport Security, Clickjacking & X-Frame-Options
- Hands-On Hacking Classes Planned For Each Month
- Submit an idea for a topic or brownbag to webappsec@mozilla.org
Security Learning Materials
Online Videos
- 10 Minute Security Training Videos (More to come)
- Application Security Basics
- Injection Attacks
- Cross Site Scripting
- Additional videos under development
Security Presentations
Security Guides
Good Reads
Mozilla WebAppSec Mailing List
Interested in discussing web application security concerns and the impact on Mozilla web applications? Then this is the list for you. Please note, this is a public list and is not the appropriate channel to discuss open security vulnerabilities (please file a bug in bugzilla).
webappsec@mozilla.org
https://mail.mozilla.org/listinfo/webappsec
Infrastructure Security Blog - http://blog.mozilla.com/webappsec/