Although many Internet vendors aim to limit negative feedback on their products' security, Mozilla Firefox is trying to encourage it to improve the quality of its service, Window Synder, chief of security at the Mozilla Corporation, said on Thursday afternoon in Rockefeller Center room 1.
Officially the "Chief Security Something-or-Other," Snyder said her title reflects her catch-all position at Mozilla, which includes facilitating and managing the Firefox web browser and working on security strategy, engineering, response and communication.
Snyder said she has worked at Mozilla to increase transparency on security issues. Traditionally, Internet vendors like to keep their security efforts private, she said, but she wants to see the industry move towards greater transparency.
"Obscurity doesn't protect you from anything," she said. "Someone will find vulnerabilities [in the code] eventually."
In many ways, the traditional approach to security stems from the nature of press coverage of security issues, Snyder said. The press can create an environment in which companies resist admitting vulnerabilities in their system because they worry about negative coverage and fail to see the potential for constructive feedback on their software, she added. Mozilla has done the opposite by making its source-code information available to anyone, she said.
"I go to the security research community and ask them to find vulnerabilities," she said. "You have to make yourself a target."
The press often measures security of a system by the number of bugs a system has, Snyder said. Companies, in turn, advertise a low bug-count as an indicator of a successful system but this is often not the most accurate approach to security metrics.
"The bugs are always there," Snyder said. "The number of reported bugs depends on how hard you're looking and how good you are at looking for them."
Snyder suggested new ways of measuring security that will hopefully give users a more accurate gauge of a system's security. Looking at the severity of a given bug helps the workers to prioritize which bugs should be addressed first, she said. An industry-wide standard, however, is probably needed before this could be effective, she said.
Additionally, Snyder stressed the importance of updating users on the systems' vulnerabilities. Because companies aim to avoid negative feedback, they wait to deliver security updates as part of large updates or service packs.
Mozilla, however, is committed to real-time updates on vulnerabilities and uses a constant security update mechanism that often delivers updates every six to eight weeks, she said.
Despite its corporate status, Mozilla functions more as a non-profit organization, according to Snyder. This feeling of community has made her understand her role in the context of the thousands of contributors and testers and millions of users who provide feedback, Synder said.
"Mozilla is a community organization that operates based on delivering a public good," she said. "Anyone can propose a change [for Firefox], anyone can comment on a proposal for a change and anyone can submit a change to the code."
The Mozilla Corporation, which coordinates the development of Internet-related applications like Firefox and Thunderbird, is a for-profit subsidiary of the non-profit Mozilla Foundation.
Snyder spoke during an event sponsored by the Institute for Security, Technology and Society, which works to advance information security for the Dartmouth community, according to its web site. Security issues are especially relevant to students working on a network because they are part of a community using the same resource, Denise Anthony, ISTS Research Director and chair of the sociology department, said.
"Our online behavior can affect everyone else on the network," Anthony said.
