Mozilla's New Security Chief: Dump Old Code - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:12 PM

Mozilla's New Security Chief: Dump Old Code

Window Snyder, whose hiring was announced last week, says she wants to get going. Her first initiative is to reduce the overall risk to Firefox by evaluating where there are unused features and by getting rid of the unused code.

Mozilla Corp. has hired a former Microsoft security strategist to help secure its open-source software, particularly its Firefox browser.

Window Snyder, whose hiring was announced last week, takes the title of "Chief Security Something" -- that's a working title, and not all that unusual for a company headed by someone who once held the title of "Chief Lizard Wrangler" -- said she has big plans for the group's development efforts.

"We want to reduce the overall risk [to Firefox] by evaluating where there are unused features, and then getting rid of that old code," said Snyder.

While at Microsoft, Snyder was responsible for security sign-offs on Windows XP SP2 and Windows Server 2003. Prior to Mozilla's hiring, she was with Matasano Security, a New York City-based company she founded after leaving Microsoft. Before working for the Redmond, Wash. developer, Snyder was one of the founding team members for the @stake hacking-group-turned-consultancy, which Symantec acquired in 2004.

"We want Firefox to have a tighter code base, and fewer entry points into the system," Snyder said.

"If we find a parsing routine that was built ages ago to manage file formats rarely used now, where the potential for vulnerability outweighs the value of the feature, we can benefit by getting rid of that code," she said. That doesn't mean Firefox will be regularly torn down and rebuilt from scratch, but it might mean stripping out code or shifting older features to optional installs rather than leaving it in the general code base.

Not to say that Firefox is buggy, said Snyder as she defended the browser's security track record.

"Just counting up the bugs is not a good measure of how secure an application is," she argued, referring to some criticisms of the open-source browser when compared to its main rival, Microsoft's Internet Explorer. A year ago, for instance, Symantec tallied the numbers and concluded that Firefox had suffered twice as many vulnerabilities as IE. (In March 2006, Symantec recanted when it changed how it counted up flaws, and found the Firefox vs. IE bug battle a draw.)

"People should be counting the days of risk. How long is the user vulnerable? What's the time between a patch issued and the upgrade installed?" Snyder asked. Using those metrics, Mozilla's products win hands down, she said. "We're turning [patches] around in the space of days, not weeks or months."

Microsoft is regularly criticized for its long patch development and test processes; even when an exploit is actively circulating in the wild, Microsoft can take weeks to produce a patch.

Snyder admitted that Mozilla has one built-in advantage when it comes to getting patches in place faster than Microsoft. "Most of our users are at home, and with automatic updates turned on by default, we can get 90 percent of our base updated to the next version in about 8 days." Microsoft's patches to IE, on the other hand, often are deployed much slower because its enterprise customers must do internal testing before rolling them out to workers.

Mozilla will also investigate and/or implement other features that can enhance Firefox's security.

"We've already put anti-phishing into [Firefox] 2.0," said Snyder. Down the road, she's figuring on new memory management, managed code, and sandbox approaches and technologies. Changes in heap management, for example, can make it more difficult for an exploit to write to that area of memory. "That can limit the exploitability of a vulnerability," said Synder. "That can limit the exploitability of a vulnerability," said Snyder.

"Mozilla will respond quickly to vulnerabilities, fix all bugs with a security impact, and when we add features we will always look at the security impact," Snyder promised.

Coincidentally, Thursday was scheduled as the release date for Firefox, a security update to the browser. As of noon PDT, the update had not yet posted to the Mozilla site, however.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
IT Careers: 10 Industries with Job Openings Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/27/2020
How 5G Rollout May Benefit Businesses More than Consumers
Joao-Pierre S. Ruth, Senior Writer,  5/21/2020
IT Leadership in Education: Getting Online School Right
Jessica Davis, Senior Editor, Enterprise Apps,  5/20/2020
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll