Mozilla, the maker of the open-source Firefox browser, has embarked on a project to create a measuring stick for how well the group's developers handle security issues, the organization announced last week.
Working with security researcher Rich Mogull, Mozilla has created an in-depth list of data to track including a vulnerability's discovery date, disclosure date, time to patch, time to be identified as a security issue, time to route to the correct developer, and how quickly an update is released. Mozilla invited security researchers to download the spreadsheets that describe the data collected and offer suggestions and criticisms of the proposed techniques.
"Our goal in this first phase of the project is to build a baseline model we can evolve over time as we learn what works, and what does not," Window Snyder, chief security officer for Mozilla said in a blog post. "We do not think any model can define an absolute level of security, so we decided to take the approach of tracking metrics over time so we can track relative improvments (or declines), and identify problem spots."
Defining the qualities that make a program secure has proven an elusive goal. In the past, Microsoft and Mozilla have vociferously debated which of their products is the most secure, each hashing vulnerability data in ways more favorable to their browser software. While Microsoft likes to focus on "days of risk" -- the time between the first public disclosure of a vulnerability and the issuance of a patch -- Mozilla focuses on the speed with which the project's programmers can craft a patch for their product. A recent study found that Mozilla Firefox user patch their programs much more quickly than users of Microsoft's Internet Explorer.
Microsoft has spent hundreds of millions of dollars revamping its development processes under the Trustworthy Computing Initiative, including tools to catch well-understood software flaws and a development process that focuses on baking security into the final product.
Snyder, who worked in Microsoft's product security teams before joining Mozilla, pledged to release the results of the security metrics project under open-source licensing so that other software makers might benefit from the work.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos