Mozilla has started a program that will create a sort of measurement guide showing how well the Firefox developers deal with security issues. Details of the project were announced last week, which explain that the project’s mission is to track not only how security is handled, but how long it takes to protect Firefox’s growing user base when vulnerabilities are discovered.
Mozilla wants to measure security metrics in the development cycle for Firefox. (IMG:J.Anderson)
Mozilla has been working with Rich Mogull for awhile now, creating a project that will develop a metrics model for security measurement. “I’ve been working in the security world for 17 or so years, and breaking my computers even longer. After about 10 years in physical security (mostly running large events/concerts) I made the mistake of getting drunk in Silicon Valley and telling someone I ‘worked in security’. Next morning I woke up with a job as an IT security consultant. That’s not totally true, but it’s far more amusing than my full biography,” Mogull jokes. The truth is, he is the founder of Securosis, and spent over seven years as a security analyst with Gartner.
The Metrics project that Mozilla has launched is likely similar to other things that have been used internally at other companies. However, the importance of this initiative from Mozilla is that it is completely open and public. They want the security community, and community as a whole, to weigh in and offer feedback.
“Our goal in this first phase of the project is to build a baseline model we can evolve over time as we learn what works, and what does not. We do not think any model can define an absolute level of security, so we decided to take the approach of tracking metrics over time so we can track relative improvements (or declines), and identify any problem spots. This information will support the development of Mozilla projects including future versions of Firefox,” Window Snyder, Chief Security Something-or-Other for Mozilla said in the blog post about the project.
I managed to catch Rich on AIM and talk briefly about the project. The idea of an open project like this is unique; Rich explained that to the best of his knowledge no one has done this type of open measurement in the past. So I asked him what got him hooked up with Mozilla on this and if he had done any kind of metric project like this before, “Not a project like this, but I've written about security metrics and secure development before. Window and I know each other through the security community, and after I left Gartner she thought this would be an interesting project to work on together.”
So far, he told me, the feedback on the project has been positive. “We're just starting to get feedback- and overall it's positive, with suggestions for enhancements to the model. Some people are misunderstanding the goal, which isn't about proving which browser is better. This is about improving the secure development process.”
Some of the comments online have hinted at this. However, if you look at the goals and proposals offered up for comment, there is no single metric that can be used to fuel the browser wars. The overall idea behind the project is, “…to put more metrics in place to track how well developments efforts work over time, identify opportunities for improvement, and, secondarily, to provide a model others can adapt and use themselves,” Rich said.
The official goals (for now) are:1. Track security trends in the development of Firefox.
2. Measure the effectiveness of various tools, stages and techniques of secure development.
3. Measure the exposure window when new vulnerabilities are discovered- the time to get x% of the user base protected. Will include sub-metrics to measure the efficiency of the process, from initial response, through patch generation, through user base updated. Correlate by severity of vulnerability.
More information, as well as copies of some of the documentation, is here:http://blog.mozilla.com/security/2008/07/02/mozilla-security-metrics-project/
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)