Mozilla's Snyder says security pros should press vendors on security

By Marcia Savage, Features Editor, Information Security magazine 16 Sep 2008 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

SAN FRANCISCO--Security professionals need to press their vendors to be more forthcoming about vulnerabilities and other security information, Mozilla's security chief said Monday in a keynote at IT Security World here.

Security isn't a priority for a lot of software developers, but users can get them to change, Window Snyder said. "You have the power in this relationship…Ask vendors for more than marketing claims about security," she said. "They could be a lot more open about their process. It's up to you guys to get vendors to talk more."

Microsoft, for example, began paying more attention to security after hearing from customers about security issues with Windows XP, she said. "For other software vendors, it can be hard for them to justify changes if they're not hearing from customers," said Snyder, who helped spearhead the development of Service Pack 2 for XP when she was with Microsoft.

While sharing information about security issues can lead to a perception that a company isn't secure, that situation is changing, she said. When vendors communicate what they're doing about security – not just how they're fixing vulnerabilities, but their security development and training efforts -- it can build confidence, she said, adding, "I'm a big fan of over-communicating when it comes to security issues."

At Mozilla, which is best known for producing the Firefox browser, Snyder said she's adamant about transparency when to it comes to security. "Our source code is open and available to everyone," she said. "The industry doesn't have to take our word for it."

She outlined some of the organization's security efforts, including its work to develop security metrics, which will include vulnerability severity, find rate/fix rate, and time for patch deployment. Basing security simply on the number of vulnerabilities found is a useless metric, she said, adding that it only provides incentive for vendors to keep quiet about bugs.

On the code review side, Snyder said she's a big fan of fuzzers, which she said produce minimal false positives and mimic the way attackers work. Mozilla has made its fuzzers available to the industry. Outside security consultants also are a good way to bring in an objective eye to the development process, she said.

Snyder criticized vendors that package security vulnerabilities into major service packs, which she said gives them time to test patches but opens up users to risks. "I urge you to tell your vendors to weigh the benefit of monster test pass service packs," she said.

She also took a dig at Google for issuing updates for its new Chrome browser without prompting the user. That could be a problem for IT departments if the update breaks a function, she said.

Tags: Software Development Methodology,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Juniper pulls ATM hacking presentation from Black Hat V.i Labs integrates Google maps to track software piracy Software Piracy pandemic needs government role, better vendor antipiracy plans Software piracy losses total $53 billion, study finds Google study backs browser silent auto update feature Secure software development starts before coding begins Security budget issues to resonate at RSA Conference Twitter worm attack highlights social network flaws Web Browser Security Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Firefox update addresses several security flaws Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary