Mozilla to release Firefox threat-modeling data

Black Hat: The Mozilla Foundation's security chief says it will soon publicly release threat-modeling data for the next version of the Firefox Web browser.

We think with the feedback we get from this [initiative], we'll have people helping us identify new threats that we haven't considered yet.
Window Snyder
Mozilla Foundation
LAS VEGAS -- In an effort to give security and development communities better insight into the way its applications are developed, the Mozilla Foundation plans to make much of its developer training materials freely available online. It will also unveil the results of its threat-modeling process and invite feedback from the community.

Mozilla hopes to make more of its processes transparent to the public, and in turn get more people involved in the development and analysis process.

Window Snyder, the head of security for the Mozilla Foundation, said Mozilla is now conducting threat modeling on the next version of Firefox. She said the group will soon share the results of the process to show the mitigating steps it is taking to address each identified threat.

In an interview Wednesday at the Black Hat briefings, Snyder described the decision to publish its threat-modeling process as another way to find and fix problems before an application is released.

"No one releases their threat modeling results because it's the keys to the kingdom," she said. "But we're going to show each threat we've found and the mitigations we have for them and then ask people to give us feedback on the whole thing.

Black Hat 2008:
Visit our extensive news coverage of Black Hat 2008.

Exclusive photos of Black Hat 2008.

Hoffman to demonstrate new hacking techniques Researcher to demonstrate hacking methods that enable malware authors to shield their programs from analysis.

EV SSL certificates won't stop phishers, researchers say Two researchers call Extended Validation (EV) SSL certificates a Band-Aid approach, and share their research of the phishing underground.

Valuable lesson emerges from DNS flaw handling Any effort to prevent others in the legitimate security community from working out the problem is a waste of time.
"We want the feedback on the mitigation while we're still in the design and implementation phase when it's just a code change on a whiteboard rather than having to go and re-architect a component," Snyder added. "It will be useful for the rest of the development world to see what a large, complex application looks like when it's broken down into components like this."

Threat modeling is a concept with which Snyder is quite familiar. She helped develop the threat-modeling process that is now a key part of Microsoft's Security Development Lifecycle. Snyder said that even with the decision to publish the results of the process, Mozilla won't post every threat that's found, just the ones for which it has found a mitigation.

"We can't just publish new vulnerabilities," Snyder said, "but we think with the feedback we get from this [initiative], we'll have people helping us identify new threats that we haven't considered yet."

In the second part of the initiative, Mozilla will make all of its software development processes available online as free courseware, classes and workshops. The program, which applies to C and C++ development, will begin in early September and will give developers the opportunity to learn the processes and methods the group uses for its development projects.

"We want to make this available to smaller development organizations so that they can get started on these kinds of processes as well," Snyder said. "Even if they don't have a lot of resources, they can use this to teach themselves."

Mozilla is currently developing Firefox 4, but Snyder said there isn't any firm release date at this point.

Dig deeper on Software Development Methodology

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close