Mozilla hopes to make more of its processes transparent to the public, and in turn get more people involved in the development and analysis process.
Window Snyder, the head of security for the Mozilla Foundation, said Mozilla is now conducting threat modeling on the next version of Firefox. She said the group will soon share the results of the process to show the mitigating steps it is taking to address each identified threat.
In an interview Wednesday at the Black Hat briefings, Snyder described the decision to publish its threat-modeling process as another way to find and fix problems before an application is released.
"No one releases their threat modeling results because it's the keys to the kingdom," she said. "But we're going to show each threat we've found and the mitigations we have for them and then ask people to give us feedback on the whole thing.
Threat modeling is a concept with which Snyder is quite familiar. She helped develop the threat-modeling process that is now a key part of Microsoft's Security Development Lifecycle. Snyder said that even with the decision to publish the results of the process, Mozilla won't post every threat that's found, just the ones for which it has found a mitigation.
"We can't just publish new vulnerabilities," Snyder said, "but we think with the feedback we get from this [initiative], we'll have people helping us identify new threats that we haven't considered yet."
In the second part of the initiative, Mozilla will make all of its software development processes available online as free courseware, classes and workshops. The program, which applies to C and C++ development, will begin in early September and will give developers the opportunity to learn the processes and methods the group uses for its development projects.
"We want to make this available to smaller development organizations so that they can get started on these kinds of processes as well," Snyder said. "Even if they don't have a lot of resources, they can use this to teach themselves."
Mozilla is currently developing Firefox 4, but Snyder said there isn't any firm release date at this point.
Dig Deeper on Secure software development