Mozilla to release Firefox threat-modeling data

Article

Mozilla to release Firefox threat-modeling data

Dennis Fisher, Executive Editor

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

We think with the feedback we get from this [initiative], we'll have people helping us identify new threats that we haven't considered yet.
Window Snyder
Mozilla Foundation
LAS VEGAS -- In an effort to give security and development communities better insight into the way its applications are developed, the Mozilla Foundation plans to make much of its developer training materials freely available online. It will also unveil the results of its threat-modeling process and invite feedback from the community.

Mozilla hopes to make more of its processes transparent to the public, and in turn get more people involved in the development and analysis process.

Window Snyder, the head of security for the Mozilla Foundation, said Mozilla is now conducting threat modeling on the next version of Firefox. She said the group will soon share the results of the process to show the mitigating steps it is taking to address each identified threat.

In an interview Wednesday at the Black Hat briefings, Snyder described the decision to publish its threat-modeling process as another way to find and fix problems before an application is released.

"No one releases their threat modeling results because it's the keys to the kingdom," she said. "But we're going to show each threat we've found and the mitigations we have for them and then ask people to give us feedback on the whole thing.

Black Hat 2008:
Visit our extensive news coverage of Black Hat 2008.

Exclusive photos of Black Hat 2008.

Hoffman to demonstrate new hacking techniques Researcher to demonstrate hacking methods that enable malware authors to shield their programs from analysis.

EV SSL certificates won't stop phishers, researchers say Two researchers call Extended Validation (EV) SSL certificates a Band-Aid approach, and share their research of the phishing underground.

Valuable lesson emerges from DNS flaw handling Any effort to prevent others in the legitimate security community from working out the problem is a waste of time.
"We want the feedback on the mitigation while we're still in the design and implementation phase when it's just a code change on a whiteboard rather than having to go and re-architect a component," Snyder added. "It will be useful for the rest of the development world to see what a large, complex application looks like when it's broken down into components like this."

Threat modeling is a concept with which Snyder is quite familiar. She helped develop the threat-modeling process that is now a key part of Microsoft's Security Development Lifecycle. Snyder said that even with the decision to publish the results of the process, Mozilla won't post every threat that's found, just the ones for which it has found a mitigation.

"We can't just publish new vulnerabilities," Snyder said, "but we think with the feedback we get from this [initiative], we'll have people helping us identify new threats that we haven't considered yet."

In the second part of the initiative, Mozilla will make all of its software development processes available online as free courseware, classes and workshops. The program, which applies to C and C++ development, will begin in early September and will give developers the opportunity to learn the processes and methods the group uses for its development projects.

"We want to make this available to smaller development organizations so that they can get started on these kinds of processes as well," Snyder said. "Even if they don't have a lot of resources, they can use this to teach themselves."

Mozilla is currently developing Firefox 4, but Snyder said there isn't any firm release date at this point.