{"id":494,"date":"2011-07-29T09:07:06","date_gmt":"2011-07-29T16:07:06","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=494"},"modified":"2011-07-29T09:08:03","modified_gmt":"2011-07-29T16:08:03","slug":"494","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2011\/07\/29\/494\/","title":{"rendered":"Evolving the Security Review and Discussion Process"},"content":{"rendered":"

“The journey of a thousand miles begins with one step.” ~ Lao Tzu<\/em>
\n“If you do what you’ve always done, you’ll get what you’ve always gotten.” ~ Anthony Robbins<\/em><\/p>\n

We’ve been thinking about and working and retooling our security review process over the last few months with a set of goals in mind.<\/p>\n

Review more items and review them early in the development process.<\/strong>
\nPretty straight forward, find more features\/bugs\/ideas that need to be looked at. Schedule them and find stuff. The challenge here was getting much more plugged into the development process, especially for desktop Firefox which is where we started our focus. As things move along we are branching out into mobile, messaging, and other projects. We also want teams to come to us instead of us having to chase them.<\/p>\n

Reviews need to be useful to all involved.<\/strong>
\nThe core idea that security has to be add value, not just some time that people spend in a room talking about theory or speed bump on the ship lane. The outcome of meetings with security should be valuable and should focus on finding a path through, not stopping because we find a “problem”. When we had blockers we had to be clear about why it’s a blocker and what needs to be done. When it’s not a blocker it had to have a severity and the importance communicated clearly for future prioritization. And if the meeting was done early, it was done early. Time is a resource we cannot replace or replenish and it has to be used wisely. If we wanted to get the first goal this had to happen. And the format of the meeting had to be more firm.<\/p>\n

Results of a review should be easy to find and available for review.<\/strong>
\nWe want everyone interested in security and the security of our products to review our work, be critical in feedback and find ways to improve. That means publishing what we did, when we did it and what if any actions were to come from the meetings. We did just that, and you can find it here https:\/\/wiki.mozilla.org\/Security\/Reviews.<\/p>\n

Meetings need to be practicable, open, and publicized.<\/strong>
\nWith the previous goals in mind the meeting format changed to something like this:<\/p>\n