Mozilla Launches Security Metrics Project

Earthweb passes along a ZDNet article which notes, "In partnership with indie security consultant Rich Mogull, Mozilla has launched a valuable Security Metrics Project that — we can only hope — could help to put an end to the silly notion that patch-counting helps to determine a product's security posture. The idea is to develop a metrics model that goes beyond simple bug counts to reflect accurately the effectiveness of secure development efforts and the relative risk to users over time. Mogull has released a spreadsheet (.xls) with a preliminary version of the model and Mozilla's Window Snyder is actively seeking feedback to make the project open and meaningful."

Hmmm

So, we don't like the current stats because they make us look bad; so lets try to create a new "standard" which will make us look better? A standard that can only really be applied to open source, because you can't see the bug count in closed source?

Wow. That really smells.

Re:Hmmm

[hedwards]

The current standards, in addition to making all of the parties look bad, are incredibly misleading.

Patch counts say very little about the actual security of a program, it just says that X number have been patch out of a total of Y. And usually those will be broken up into categories roughly be severity.

The problem is that vulnerabilities aren't that straight forward. For instance where do you put an incredibly difficult to exploit bug which also grants complete control when done correctly? Is that severe, minor or do you split the difference? It's not particularly clear and which it is likely depends upon what the computer is used for.

I'm positive that no solution is perfect, but at least with a decent metric it's a bit easier to shame those browsers which are truly insecure rather than those with a huge number of patches left to create.