Mozilla: Security a Significant Focus
Page 1 of 2
With more than 170 million users, Mozilla has a large footprint of Web surfers using its Firefox browser. As such it's in an enviable position to help not only secure its own users but to implement best practices that make the entire Web a safer place for all.
"All these different programs are designed to be open and solicit feedback and also be useful to projects beyond the Mozilla project," Window Snyder, chief security officer at Mozilla, told InternetNews.com.
A training effort now in the development phase will help educate the community about secure development practices. Mozilla is also working on threat modeling for the next version of Firefox and intends to make some of that information public.
The security metrics effort, announced earlier this year, is designed to figure out what matters in security and then measure and track those metrics. Snyder explained that the first step of the process, now wrapping up, is about determining what the company needs to look at in terms of security metrics. The next step is figuring how to get that information out of bugzilla and capture it on an ongoing basis. After that the challenge is to get information out and generating raw numbers. At the end the company will do analysis on that information to identify trends, correlate factors and draw conclusions.
Tracking security is an ongoing concern in the software industry. Oracle (NASDAQ: ORCL) and Cisco (NASDAQ: CSCO) use a system called Common Vulnerability Scoring System (CVSS), while Microsoft (NASDAQ: MSFT) recently announced its the Exploitability Index project. Both projects rely on evaluating the risk potential from exploitation. Mozilla's security metrics will take a different route.
"We did look at exploitability at the very beginning and we decided that was a factor that is hard to capture and not all that useful," Snyder said. "We don't have a lot of evidence that Firefox users are being exploited."
Snyder did admit, however, that Mozilla sees the security research community coming up with proof-of-concept attacks, but she argued that's different than users actually being attacked.
"We believe it's out there, but it's not one of the factors we're focusing on because we can't identify a lot of data for it," Snyder commented. "Right now what we're really focusing on is the effect of our security efforts."
Mozilla will try and determine the how quickly it patches and users update, how code changes affect security as well the effectiveness of the tools it uses to find and prevent issues.
At Black Hat in 2007, Mozilla introduced a new fuzzing tool called JsfunFuzz and Snyder noted that they have a staffer now that does nothing but build and use fuzzers.
Next page: Coding practices