Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Launches Security Metrics Project

Posted by Soulskill on from the how-do-you-measure-transparancy dept.

Earthweb passes along a ZDNet article which notes, "In partnership with indie security consultant Rich Mogull, Mozilla has launched a valuable Security Metrics Project that — we can only hope — could help to put an end to the silly notion that patch-counting helps to determine a product's security posture. The idea is to develop a metrics model that goes beyond simple bug counts to reflect accurately the effectiveness of secure development efforts and the relative risk to users over time. Mogull has released a spreadsheet (.xls) with a preliminary version of the model and Mozilla's Window Snyder is actively seeking feedback to make the project open and meaningful."

5 of 18 comments (clear)

  1. Ten Fucking Days by Anonymous Coward · · Score: 2, Interesting

    Where's the fix for the suspiciously-timed Firefox 3 (and 2) code execution bug? That would boost security.

  2. Hmmm by Anonymous Coward · · Score: 3, Interesting

    So, we don't like the current stats because they make us look bad; so lets try to create a new "standard" which will make us look better? A standard that can only really be applied to open source, because you can't see the bug count in closed source?

    Wow. That really smells.

    1. Re:Hmmm by awrowe · · Score: 2, Funny

      Why isn't there a moderation option +1 Cynical?

      --
      A.I. Research. The peculiar science in which we know the question and we know the answer, but can't show the working
    2. Re:Hmmm by hedwards · · Score: 3, Insightful

      The current standards, in addition to making all of the parties look bad, are incredibly misleading.

      Patch counts say very little about the actual security of a program, it just says that X number have been patch out of a total of Y. And usually those will be broken up into categories roughly be severity.

      The problem is that vulnerabilities aren't that straight forward. For instance where do you put an incredibly difficult to exploit bug which also grants complete control when done correctly? Is that severe, minor or do you split the difference? It's not particularly clear and which it is likely depends upon what the computer is used for.

      I'm positive that no solution is perfect, but at least with a decent metric it's a bit easier to shame those browsers which are truly insecure rather than those with a huge number of patches left to create.

  3. Re:Where's the ODF version? by friedegg · · Score: 2, Informative

    From the site (I know, I know):

    The same content as a set of .csvs is available here: http://securosis.com/publications/MozillaProject.zip

    --
    Google doesn't index user sigs, so stop trying to "Google Bomb" with them.