I should put a better tagline…
I gave a talk on November 17th at BSideWinnipeg called Security In the Open. It was really fun to head back to Winnipeg for a beautiful November weekend, and catch up with some of my former colleagues!
Update: You can watch the talk on Youtube below:
I gave a talk at AppSecEU 2013 on August 23rd about Minion, and talked about some of the things we are doing to make the security testing more available to the Mozilla community.
Update: You can watch the recording below:
I gave a talk at RMLL on July 6th on the structure and organization of the security team at Mozilla, and how we built and supported the security of websites and services across the community.
The talk can be viewed via the RMLL site, or below!
Working in security I spend a fair amount of time reviewing and looking at work other people do. Turns out when you do that for 10 years, eventually people start seeing you like this:
While some of the things I have seen make [2] me feel that way, the reality is that I have tried to spend most of my career helping people to try to do things better, not to stop them doing new and cool things.
I have lost count of the number of times someone has said in a meeting “We can’t do that, security won’t let us!” with me sitting right there! Ok, fair enough, sometimes it’s true, but most of the time we are really trying to say “Not like that!”. You need a remote access solution? Sure, but lets but that RDP service behind a VPN. Need to install a new, untested web service on our domain? Ok, but why don’t we do some testing and maybe some fuzzing on it first. You want to ship all of our employee data to that 3rd party? Lets have a chat with them first so that we can make sure their security practices are reasonable first.
If I am talking to you about a security issue and you think I just said “No”, make sure you listen the rest of the “t like that!” because I am probably trying to help you[1]!
[1] The exception to the rule is if you are talking about PHP or Perl. Then I mean no.
[2] Circa 2016, I started to come around on WordPress, as the automatic update features and PHP’s overall maturity started to improve.
I gave a talk on federated identity protocols at BSidesSF last week, and again here in Vancouver yesterday. The slides for the talk can be found here
The talk can be watched online here:
Here are some other things I mentioned during the talk:
This post is cross-posted from the Mozilla Web Application Security blog.
One of the important projects that Mozilla has been building in 2011 is BrowserID, a user-centric identity protocol and authentication service. Significant work has gone into building out and testing the infrastructure and protocol to make sure that it is a robust, open, and simple to adopt authentication scheme. If you want to learn more about BrowserID, here is a quick 12 minute video that explains what it is, and why we are doing this.
BrowserID continues to evolve as we build support for it across Mozilla properties and encourage adoption from 3rd parties. To date there almost 1000 different websites that rely on BrowserID, but we still have a long way to go to see large scale adoption!
Much of the effort we have put into reviewing the protocol and implementation of BrowserID is discussed in a recent presentation, a recording of which can be found below:
[Slides: html | html(zip) | pdf] (if the video doesn’t appear, click here!)
In addition to ongoing application and infrastructure security work in the next year, we are aiming for two significant milestones in 2012. First we will engage two third party security reviews of the Browserid.org site, and the cryptography used in BrowserID (including the protocol, the algorithms used, and the libraries we are relying on). Our objective in doing the third party review is to remain as transparent as possible in the development and review of the security aspects of BrowserID. This commitment to transparency includes:
As we proceed with this effort we will publish additional information on this blog, and we will work to keep the community up to date at each stage of progress.
Second, once we have completed the 3rd party review, resolved the issues identified, and published the results, BrowserID.org will become one of the properties fully covered by the Bug Bounty program (as always, exception bugs reported for none covered sites will be considered for bounty nomination).