Mozilla to release Firefox threat-modeling data |
 |
By Dennis Fisher, Executive Editor
06 Aug 2008 | SearchSecurity.com |
|
|
|
|
|
|
|
We think with the feedback we get from this [initiative], we'll have people helping us identify new threats that we haven't considered yet.
Window Snyder
Mozilla Foundation
|
|
|
|
|
|
|
|
|
|
LAS VEGAS -- In an effort to give security and development communities better insight into the way its applications are developed, the Mozilla Foundation plans to make much of its developer training materials freely available online. It will also unveil the results of its threat-modeling process and invite feedback from the community.
Mozilla hopes to make more of its processes transparent to the public, and in turn get more people involved in the development and analysis process.
Window Snyder, the head of security for the Mozilla Foundation, said Mozilla is now conducting threat modeling on the next version of Firefox. She said the group will soon share the results of the process to show the mitigating steps it is taking to address each identified threat.
In an interview Wednesday at the Black Hat briefings, Snyder described the decision to publish its threat-modeling process as another way to find and fix problems before an application is released.
"No one releases their threat modeling results because it's the keys to the kingdom," she said. "But we're going to show each threat we've found and the mitigations we have for them and then ask people to give us feedback on the whole thing.
"We want the feedback on the mitigation while we're still in the design and implementation phase when it's just a code change on a whiteboard rather than having to go and re-architect a component," Snyder added. "It will be useful for the rest of the development world to see what a large, complex application looks like when it's broken down into components like this."
Threat modeling is a concept with which Snyder is quite familiar. She helped develop the threat-modeling process that is now a key part of Microsoft's Security Development Lifecycle. Snyder said that even with the decision to publish the results of the process, Mozilla won't post every threat that's found, just the ones for which it has found a mitigation.
"We can't just publish new vulnerabilities," Snyder said, "but we think with the feedback we get from this [initiative], we'll have people helping us identify new threats that we haven't considered yet."
In the second part of the initiative, Mozilla will make all of its software development processes available online as free courseware, classes and workshops. The program, which applies to C and C++ development, will begin in early September and will give developers the opportunity to learn the processes and methods the group uses for its development projects.
"We want to make this available to smaller development organizations so that they can get started on these kinds of processes as well," Snyder said. "Even if they don't have a lot of resources, they can use this to teach themselves."
Mozilla is currently developing Firefox 4, but Snyder said there isn't any firm release date at this point.
|
|
|
|
