Mozilla Launches Security Metrics Project

Earthweb passes along a ZDNet article which notes, "In partnership with indie security consultant Rich Mogull, Mozilla has launched a valuable Security Metrics Project that — we can only hope — could help to put an end to the silly notion that patch-counting helps to determine a product's security posture. The idea is to develop a metrics model that goes beyond simple bug counts to reflect accurately the effectiveness of secure development efforts and the relative risk to users over time. Mogull has released a spreadsheet (.xls) with a preliminary version of the model and Mozilla's Window Snyder is actively seeking feedback to make the project open and meaningful."

Ten Fucking Days

Where's the fix for the suspiciously-timed Firefox 3 (and 2) code execution bug? That would boost security.

Cost = free

[ephemeralspecter]

Looks like they're depending a lot on feedback. From paid consultants?

Different name, please

I wish they'd pick a different name. Everytime I look at it, I think of Security Metrics (one of the we'll run Nessus against your site for a fee providers).

Where's the ODF version?

If Mozilla is so committed to open standards, then why didn't they ask Mogull to publish an ODF version of the spreadsheet, even if only alongside the Microsoft Office binary file?

Re:Where's the ODF version?

[friedegg]

From the site (I know, I know):

The same content as a set of .csvs is available here: http://securosis.com/publications/MozillaProject.zip

Re:Where's the ODF version?

[Nicolay77]

But I use MS Office you insensitive clod!

Hmmm

So, we don't like the current stats because they make us look bad; so lets try to create a new "standard" which will make us look better? A standard that can only really be applied to open source, because you can't see the bug count in closed source?

Wow. That really smells.

Re:Hmmm

[awrowe]

Why isn't there a moderation option +1 Cynical?

Re:Hmmm

[hedwards]

The current standards, in addition to making all of the parties look bad, are incredibly misleading.

Patch counts say very little about the actual security of a program, it just says that X number have been patch out of a total of Y. And usually those will be broken up into categories roughly be severity.

The problem is that vulnerabilities aren't that straight forward. For instance where do you put an incredibly difficult to exploit bug which also grants complete control when done correctly? Is that severe, minor or do you split the difference? It's not particularly clear and which it is likely depends upon what the computer is used for.

I'm positive that no solution is perfect, but at least with a decent metric it's a bit easier to shame those browsers which are truly insecure rather than those with a huge number of patches left to create.

Re:Hmmm

[wolferz]

IF it is truly an "open" project then IN THEORY the end result would not be biased...

...but then again it's the opensource/mozilla fanboys and the anti-ms fanboys that are gonna be contributing to this more than any other groups. Thus it will probably be more biased than it would have if Mozilla had kept it top secret.

Re:Hmmm

[magamiako1]

Like which browsers are "truly insecure"? All of them on this round are turning out to be fairly decent these days.

And Microsoft has been rather committed to security even issuing a security update for IE8 Beta 1, which really they shouldn't have to do.

Re:Hmmm

"So, we don't like the current stats because they make us look bad; so lets try to create a new "standard" which will make us look better? A standard that can only really be applied to open source, because you can't see the bug count in closed source?

Wow. That really smells." - by Anonymous Coward on Saturday July 05, @05:09AM (#24064781)

Agreed, 110%... instead of WASTING TIME doing that (well, there is no guarantee that Rich Mogull can actually DO anything more than that, let alone code to help the Mozilla dev team, OR even actively test the program trying to screw it up, finding another form of 'bug', not just security ones), fix the known unpatched security issues & you do NOT have to go about this b.s., period...

AS IT STANDS, NOW TODAY/CURRENTLY?

-----
SECUNIA DATA ON BROWSER SECURITY (dated 07/04/2008 - "4th July U.S.A."):
-----

Opera 9.51 (new release) security advisories @ SECUNIA (0% unpatched):

http://secunia.com/product/10615/?task=advisories

-----

FireFox 3.x security advisories @ SECUNIA (100% unpatched):

http://secunia.com/product/19089/

-----

IE 7 (latest cumulative update from MS) security advisories @ SECUNIA (34% unpatched):

http://secunia.com/product/12366/

-----

Those %'s are the latest for FireFox 3.x, IE7 after last "patch Tuesday" from MS with the "CUMULATIVE IE UPDATES" they have (see the security downloads URL I post in the 12 steps above to secure yourself), & Opera 9.51... ALL, "latest/greatest" models.

So, as you can see? Well, NOT ONLY IS OPERA MORE SECURE/BEARING LESS SECURITY VULNERABILITIES?

It's faster too, on just about ANYTHING a browser does, & is probably the MOST standards compliant browser under the sun (not counting HTML dev tools). This is borne out in these tests:

http://www.howtocreate.co.uk/browserSpeed.html

AND, yes others (most recently in Javascript parsing speeds, oddly enough, lol... given the topic of my post here that is), right here:

http://nontroppo.org/timer/kestrel_tests/

NEW NEWS/NEWSFLASH: FF3 is "king of the heap" here now, in javascript parsing speeds, but of what gain is this? Security risks abound in running javascript on "every site under the sun"... limiting it to sites you absolutely NEED it for is the way, IF you wish to stay safer online that is.

----

Opera's just more std.'s compliant - for example, having passed all the ACID (2/3 before anyone on the latter & one of the first for the former no less), plus it's faster + MULTIPLATFORM, & more secure than the others out there - thus, it's an "all-around" overall best solution!

-----

QUESTION - So, "where do you want to go today?"...

ANSWER = Opera (if you're into speed, security, & std.'s compliance + using a webbrowser that runs on most any platform out there for computing is where).

APK

P.S.=> Thank goodness the poster before myself can "see", & cut thru the fog of lies/crap this really is... fix the bugs? No reason to have to do such stupidity... apk

a new way?

Ok i agree that patch counting is maybe not the best way to evaluate the security of software but gives an idea. What does this means? That hey can't keep it low and are seeking alternatives ways to measure and keep the "We are safe slogan"? Yes that's why I stopped from using it since quite a while. Ahh and wasn't at risk during the download day. Jesus they continued with the "download day" even knowing that they had a vulnerability in the browser within hours. That means to me that in order to break the Guiness they are willing to put in risk their users. Yes well you got your record but it has a cost and it costed the security of users. I would have stopped. Good luck Fox and to your users. I'll see you again when you begin to write software and not furniture. Since you became big you are a little microsoft copy. Maybe their cakes are contagious :P Ahh and remember to cache better, you fail to cache with chunked transfer encoding even big stuff. Remember that you are making the web slower with that and that is not only affecting your users but others that decide to use better browsers or some of us that have to pay for the bandwidth sucking your thing is doing. Hey servers bandwidth costs. Remember that when you write a line of code.

Re:a new way?

Jesus they continued with the "download day" even knowing that they had a vulnerability in the browser within hours. That means to me that in order to break the Guiness they are willing to put in risk their users

Idiot. The vulnerability also exists in Firefox 2, so upgrading does not make anyone less secure.

Note also that there is no public information about this vulnerability, so we have no way of knowing how serious it is. All we have to go on is an announcement from, um, some people who have a vested interest in making it sound serious.

mod up

Where's the fix for the "Suspiciously-timed Firefox 3 (and 2) code execution bug" That would boost security.

The silence from the Mozilla project is deafening. That tells us what they really think about security in a way that no Mozilla public relations exercise will ever be able to fix.

Mozilla, +5, Useful

[rootpassbird]

'open' will be a very important condition.

Clarification Of A Different "Outlook"?

[LifesABeach]

Noted Inventor Benjamin Franklyn was once asked how best to rank 2 products. The response went something like, "Create a column of the all benefits of both products. For each product, attach another column. Go through the list and place a check mark in the corresponding box. The product with most checks is the better product."

I can see where applying this to Safari, Opera, and IE, would be a good thing. But I also think that making it public would start a trend that would be very constructive from a users point of view. Other browsers are known for being products that set themselves apart from the IE folks. This "matrix" looks to be like a simple spread sheet. It should not be hard to apply any Browser to it in the future. It will be interesting when in August, IE 6,7, and 8 could be added to this matrix. From my point of view, it is a great way to show "Pride In Craftsmanship".

Its only MS

[vincpa]

Just because its Microsoft everyone cries like little babies. Hello everyone, Open Office/Star Office reads XLS files so whats the dam problem? Is there a reason it needs to be 'open format'? I bet $100 if It was released as PDF no one would say anything. Typical /. childish behavior. Get a life!