Mozilla security guru backs industry confab

While stopping short of volunteering to host the event, Mozilla chief security official Window Snyder said that it could prove helpful for the open-source community to meet at its own conference to debate secure coding, vulnerability reporting, and product patching issues.

In a recent interview with InfoWorld, Snyder — whose official title with browser maker Mozilla is “chief security something or other” — said that she would back a meeting of open-source software developers centered on a discussion of security issues.

Working at Microsoft as part of its Secure Windows Initiative prior to joining Mozilla in 2006, Snyder helped organize Blue Hat, the software giant’s now annual closed-door meeting with security researchers.

Security has vastly improved in the open-source community over the last several years as an increasing number of contributors have stepped up to identify software vulnerabilities and help ward off potential attacks, but such a meeting of the minds could help developers improve their products even further, Snyder said.

The event wouldn’t likely adopt the same closed-door approach as Blue Hat, to which media members and other security industry onlookers remain uninvited, and security researchers and open-source developers would need to focus on both existing issues, such as improving vulnerability disclosure methods, and emerging topics, such as new threats aimed specifically at open-source technologies, according to the expert.

If created, the event would likely take on the same grassroots feel of smaller security research conferences, such as the annual ShmooCon gathering in Washington, she said.

“It would take a lot of work to coordinate, and we would need a lot of people to organize it, but something like [an open-source Blue Hat] could be very useful,” Snyder said. “Anyone who wanted to contribute would have to be welcomed, and the idea would have to be to help people make their own security decisions more intelligently rather than to put pressure on people to change the ways they build things.”

Backers of the open-source model have long defended that they enjoy a significant advantage over makers of proprietary software — such as Microsoft — in the area of finding and patching security flaws in their products.

Unlike Microsoft, which keeps its code under wraps and issues monthly updates that typically contain patches for multiple vulnerabilities that have been publicly identified by researchers, open-source companies like Mozilla — perhaps best known for its Firefox browser — have legions of contributors who attempt to find and fix any problems in its freely-distributed code on an ongoing basis.

The ability to respond to problems so rapidly, and tap into a wider group of security experts in the form of the larger open-source community currently makes Firefox a more secure alternative to Microsoft’s Internet Explorer and other proprietary software products, Snyder contends.

By meeting as an industry, open-source security experts could also glean more detailed feedback from researchers, she said, as open-source flaws are typically only approached as an element of any published papers issued by security technology vendors.

“The majority of reports that come out of the security researchers have a tremendous amount of knowledge, and we would love to get further involved in the overall process and understand the coding implications of what they find,” Snyder said. “We could get more suggestions on building out our architecture in the future, which is something we always want to have an eye on.”

Overall, the security expert said that the open-source model continues to prove itself as advantageous in fighting off attacks, especially as Mozilla continues to hear from a growing number of people who are actively scouring its products for potential issues.

“Transparency continues to be one of Mozilla’s key factors for success,” she said. “Some people might see it as an obstacle in terms of doing security with the whole world watching, and at times it can be a challenge, but we have ten thousand people testing our nightly builds, which is a lot more than you find on your typical browser development team.”