Mozilla: Security a Significant Focus
Page 1 of 2
With more than 170 million users, Mozilla has a large footprint of Web surfers using its Firefox browser. As such it's in an enviable position to help not only secure its own users but to implement best practices that make the entire Web a safer place for all.
"All these different programs are designed to be open and solicit feedback and also be useful to projects beyond the Mozilla project," Window Snyder, chief security officer at Mozilla, told InternetNews.com.
A training effort now in the development phase will help educate the community about secure development practices. Mozilla is also working on threat modeling for the next version of Firefox and intends to make some of that information public.
Tracking security is an ongoing concern in the software industry. Oracle (NASDAQ: ORCL) and Cisco (NASDAQ: CSCO) use a system called Common Vulnerability Scoring System (CVSS), while Microsoft (NASDAQ: MSFT) recently announced its the Exploitability Index project. Both projects rely on evaluating the risk potential from exploitation. Mozilla's security metrics will take a different route.
"We did look at exploitability at the very beginning and we decided that was a factor that is hard to capture and not all that useful," Snyder said. "We don't have a lot of evidence that Firefox users are being exploited."
Snyder did admit, however, that Mozilla sees the security research community coming up with proof-of-concept attacks, but she argued that's different than users actually being attacked.
"We believe it's out there, but it's not one of the factors we're focusing on because we can't identify a lot of data for it," Snyder commented. "Right now what we're really focusing on is the effect of our security efforts."
Mozilla will try and determine the how quickly it patches and users update, how code changes affect security as well the effectiveness of the tools it uses to find and prevent issues.
At Black Hat in 2007, Mozilla introduced a new fuzzing tool called JsfunFuzz and Snyder noted that they have a staffer now that does nothing but build and use fuzzers.
Next page: Coding practices