Mozilla to release Firefox threat-modeling data

By Dennis Fisher, Executive Editor 06 Aug 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

We think with the feedback we get from this [initiative], we'll have people helping us identify new threats that we haven't considered yet. Window Snyder Mozilla Foundation

Mozilla hopes to make more of its processes transparent to the public, and in turn get more people involved in the development and analysis process.

Window Snyder, the head of security for the Mozilla Foundation, said Mozilla is now conducting threat modeling on the next version of Firefox. She said the group will soon share the results of the process to show the mitigating steps it is taking to address each identified threat.

In an interview Wednesday at the Black Hat briefings, Snyder described the decision to publish its threat-modeling process as another way to find and fix problems before an application is released.

"No one releases their threat modeling results because it's the keys to the kingdom," she said. "But we're going to show each threat we've found and the mitigations we have for them and then ask people to give us feedback on the whole thing.

Black Hat 2008: Visit our extensive news coverage of Black Hat 2008. Exclusive photos of Black Hat 2008. Hoffman to demonstrate new hacking techniques Researcher to demonstrate hacking methods that enable malware authors to shield their programs from analysis. EV SSL certificates won't stop phishers, researchers say Two researchers call Extended Validation (EV) SSL certificates a Band-Aid approach, and share their research of the phishing underground. Valuable lesson emerges from DNS flaw handling Any effort to prevent others in the legitimate security community from working out the problem is a waste of time.

"We want the feedback on the mitigation while we're still in the design and implementation phase when it's just a code change on a whiteboard rather than having to go and re-architect a component," Snyder added. "It will be useful for the rest of the development world to see what a large, complex application looks like when it's broken down into components like this."

Threat modeling is a concept with which Snyder is quite familiar. She helped develop the threat-modeling process that is now a key part of Microsoft's Security Development Lifecycle. Snyder said that even with the decision to publish the results of the process, Mozilla won't post every threat that's found, just the ones for which it has found a mitigation.

"We can't just publish new vulnerabilities," Snyder said, "but we think with the feedback we get from this [initiative], we'll have people helping us identify new threats that we haven't considered yet."

In the second part of the initiative, Mozilla will make all of its software development processes available online as free courseware, classes and workshops. The program, which applies to C and C++ development, will begin in early September and will give developers the opportunity to learn the processes and methods the group uses for its development projects.

"We want to make this available to smaller development organizations so that they can get started on these kinds of processes as well," Snyder said. "Even if they don't have a lot of resources, they can use this to teach themselves."

Mozilla is currently developing Firefox 4, but Snyder said there isn't any firm release date at this point.

Tags: Software Development Methodology,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology Microsoft extends SDL program, adds Agile development template Malware in Google attacks uses spaghetti code Self-defending Web applications thwart attacks Information security book excerpts and reviews Software piracy group offers cash to whistleblowers Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Should security tests be part of a software quality assurance program? Does an EULA make it truly illegal to decompile software? Web Browser Security Microsoft warns that IE zero-day vulnerability causes data leakage Browser exploit kit probe highlights need for patching, vigilance Google to pay for Chrome browser vulnerabilities Attackers continue barrage of SEO attacks Microsoft emergency IE update to block latest corporate attacks Facebook, McAfee partner to fix social network security issues Firefox, Opera, Safari browsers top list of high risk software Mozilla fixes Firefox critical memory corruption errors FBI estimates rogue antivirus losses exceeding $150 million Adobe updates Flash Player, fixes seven serious vulnerabilities Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary