Window Snyder has just accepted roles at Mozilla as the lead security strategist. Snyder was most recently a founding member and CTO at Matasano Security and used to be a senior security strategist for Microsoft.
Some points from the interview she gave on zdnet.com concerning the current security metrics (or ways they identify problems):
The key issue raised by Snyder was that the current metrics for evaluating the security of a product is flawed.
- The current metrics that the industry uses to measure the security
of a product is based on the number and frequency of vulnerabilities in
a product- Commercial vendors don’t always patch everything
- Commercial vendors patch flaws through service packs and version upgrades which may hide the actual number of flaws
Citing people like Dan Geer and Allen Jones, Snyder and
Mozilla believes that security metrics should be based on the following
factors.
- Days of risk (time between disclosure and patch)
- Transparency of the patch process
- Security of the architecture
- Scope of fixes
It is interesting to see so much emphasis placed on security lately. Within the past 6 months, I have heard countless podcasts on how writing secure code is becoming more and more important. Topics ranging from building security into an application as soon as a project is assigned to the strict coding itself. It is definitely a good idea, being that more and more software really is living in the network rather than on an individual machine (even then, those machines are always on anyway!).
To check out the full article, head over to zdnet.com.
Technorati Tags: security, microsoft, mozilla, firefox, open source, web browser, browser
No related posts.
Yeah, these days Mozilla guys are moving to MS and vice versa..