LAS VEGAS -- Open-source software maker Mozilla announced this week that the company will require developers to undergo training in secure programming and allow the security community to review its assessments of threats to the Firefox browser.
The two initiatives, which follow the group's announcement in July that it has begun developing metrics for measuring its handling of security issues, are aimed at better securing the browser, said Window Snyder, chief security officer for Mozilla. The threat modeling, in particular, could allow the company to gain the input of security researchers and prevent missteps that could result in reduced security, but has to be handled carefully to prevent attackers from using the information for malicious purposes, she said.
"We did threat modeling last year, but we want to find ways this year of making the results public," Snyder said. She added: "We don't want to disclose the threat models if it isn't going to make our users safer."
Last month, the open-software maker embarked on an effort to develop a set of development metrics that could be used to measure its success in dealing with security issues. The company is not the only one to pledge to provide more information to the security community. Microsoft announced on Monday that it would also share some security-related data. Under its Microsoft Advanced Protection Program (MAPP), the company will allow security-software makers some advanced details of coming patches so that its customers can be protected from potential attacks using those flaws, even if they do not patch their software immediately.
Mozilla's latest initiative will begin in September and begin delivering results later in the fall, Snyder said.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos