Security/Meetings/SecurityAssurance/2012-05-01: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "{{SecAssuranceMeetingInfo}} {{TOC right}}")
 
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{SecAssuranceMeetingInfo}}
{{SecAssuranceMeetingInfo}}
{{TOC right}}
{{TOC right}}
=Agenda=
* Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q2+Goals
* [mcoates] Company wide updates
* [yvan / curtis] Reviews - Refining handling & scoping effort, time,
* [mcoates] 1on1s
* [mcoates] Kilimanjaro
** https://wiki.mozilla.org/Kilimanjaro
** https://wiki.mozilla.org/Kilimanjaro/ProductDraft
** We will prioritize reviews that are blocking Kilimanjaro, starting with WebRT
* [mcoates] Work Week
** When: Late June, Early July? - (Infra: London Aug 12) Aug 13-17, 20-24, Sept
*** http://www.doodle.com/
*** Where: Europe - London?
*** Berlin in Oktober? ahem. AppSecUSA October 22 – 26, 2012
*** Including volunteers/community members, or employees only? - Want to include some community
* [Jesse] Google upped their bug bounty for web sites (but not for Chrome)
** http://googleonlinesecurity.blogspot.com/2012/04/spurring-more-vulnerability-research.html
** http://www.infoworld.com/t/hacking/bug-bounty-hunters-weigh-in-googles-vulnerability-reporting-program-191710 - Jesse was quoted :) \o/
* [mcoates] Embedded team members: remember that you can ask for help from other security team members; you don't have to do everything yourself.
* [mcoates] Bugzilla mail tips & tricks
** https://etherpad.mozilla.org/bugzilla-filter-tips
* [decoder] We got Linux Firefox+ASan builds on try now, if you need one, ping me. \o/
=Security Review Status (koenig)=
* Number of Reviews Completed (so far this quarter): 40 (last week 16) <-- nice work
** https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-complete%2C%20;keywords_type=allwords;list_id=2876446;field0-0-0=keywords;type0-0-0=changedafter;value0-0-0=2012.03.31;query_format=advanced = 21
** https://bugzilla.mozilla.org/buglist.cgi?list_id=2999910;resolution=FIXED;chfieldto=Now;chfield=resolution;query_format=advanced;chfieldfrom=2012-03-31;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org =19
* Number of Outstanding Reviews: 172 (last week 129)
** https://bugzilla.mozilla.org/buglist.cgi?keywords=sec-review-needed%2C%20;query_format=advanced;keywords_type=allwords;list_id=2876531;field0-0-0=product;type0-0-0=notequals;value0-0-0=mozilla.org;resolution=---;resolution=DUPLICATE = 50
** https://bugzilla.mozilla.org/buglist.cgi?list_id=2999921;query_format=advanced;bug_status=UNCONFIRMED;bug_status=NEW;bug_status=ASSIGNED;bug_status=REOPENED;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org = 122
=Project Updates =
Please don't leave blank. Add "No Update" if nothing has changed
==Silent updates (rforbes / dveditz)==
== B2G (Paul Theriault) ==
* Browser API is a bit more defined now (iframe mozbrowser)  https://wiki.mozilla.org/WebAPI/BrowserAPI
*B2G workweek in san diego next week
** Define security review process/get team onboard
** Review draft Web App Permission Process
*Security reviews started moving slowly, but most features are not completed
** Documenting threats in the meantime
==Thunderbird (Dan Veditz) ==
==Rust (Jesse Ruderman) ==
* Upcoming “lifetimes” feature could be awesome. Moves the “pass by reference” concept into the typesystem and makes more general.
** http://smallcultfollowing.com/babysteps/blog/2012/04/25/references/
** http://pcwalton.github.com/blog/2012/04/23/why-lifetimes/
==Mobile (David Chan) ==
* no update
==Sync  (David Chan & Yvan Boily) ==
* still working on sync 2.0
==Services (David Chan & Yvan Boily) ==
* notifications review being scheduled
==Social - Pancake (Mark Goodwin) ==
Much frantic bug fixing going on in prep for public release. Some security stuff outstanding, but they won't be progressing without resolving.
==Jetpack, Add-on SDK, Add-on Builder (Dan Veditz) ==
==JS (Christian Holler) ==
* [gkw] More ESR fuzzing
* [gkw] Pushed along some Valgrind issues on TBPL
==DOM, XPConnect (Jesse Ruderman) ==
==Layout, Style (Jesse Ruderman) ==
==Automation Tools (Gary Kwong) ==
* Great feedback again for us getting ateam secreviews back on track
** Embedding is effective
==Web Developer Tools (Mark Goodwin) ==
I'm having fun on a first bug :D - little else to report.
== Networking (Christoph Diehl) ==
* Going to port Server-Sent DOM Events to Peach
* Still working on SPDY v3
== Graphics (Christoph Diehl) ===
* Going to re-test some older items with ASAN builds (graphite, icon, bitmap)
* Filed more Opus bugs
== Market (Raymond Forbes) ==
Launching soon?
==Firefox APIs (Raymond Forbes) ==
==Payment Flow (Raymond Forbes) ==
==Apps in the Cloud (David Chan) ==
* client needs review
==Dynamic API Security Model (Raymond Forbes) ==
==WebRT (Raymond Forbes) ==
==BrowserID ==
- 3rd party review to be pushed
== Identity Services (David Chan) ==
* working on sign into browser
==Addons.M.O (Raymond Forbes) ==
==Bugzilla.M.O (Mark Goodwin & Eric Parker) ==
TellUsMore review is happening late this / early next week.
==Mozillians (Raymond Forbes) ==
==MDN (Raymond Forbes) ==
==SUMO (Kitsune) () ==

Latest revision as of 13:51, 2 May 2012


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

Security Review Status (koenig)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault)

  • Browser API is a bit more defined now (iframe mozbrowser) https://wiki.mozilla.org/WebAPI/BrowserAPI
  • B2G workweek in san diego next week
    • Define security review process/get team onboard
    • Review draft Web App Permission Process
  • Security reviews started moving slowly, but most features are not completed
    • Documenting threats in the meantime

Thunderbird (Dan Veditz)

Rust (Jesse Ruderman)

Mobile (David Chan)

  • no update

Sync (David Chan & Yvan Boily)

  • still working on sync 2.0

Services (David Chan & Yvan Boily)

  • notifications review being scheduled

Social - Pancake (Mark Goodwin)

Much frantic bug fixing going on in prep for public release. Some security stuff outstanding, but they won't be progressing without resolving.

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

  • [gkw] More ESR fuzzing
  • [gkw] Pushed along some Valgrind issues on TBPL

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

  • Great feedback again for us getting ateam secreviews back on track
    • Embedding is effective

Web Developer Tools (Mark Goodwin)

I'm having fun on a first bug :D - little else to report.

Networking (Christoph Diehl)

  • Going to port Server-Sent DOM Events to Peach
  • Still working on SPDY v3

Graphics (Christoph Diehl) =

  • Going to re-test some older items with ASAN builds (graphite, icon, bitmap)
  • Filed more Opus bugs

Market (Raymond Forbes)

Launching soon?

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Apps in the Cloud (David Chan)

  • client needs review

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

- 3rd party review to be pushed

Identity Services (David Chan)

  • working on sign into browser

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

TellUsMore review is happening late this / early next week.

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

Retrieved from "https://wiki.allizom.org/index.php?title=Security/Meetings/SecurityAssurance/2012-05-01&oldid=426438"