Newsmaker: Mozilla looks to Microsoft for security

(continued from previous page)

Is Firefox more secure than Microsoft's Internet Explorer?
Snyder: This gets into how you measure security. I think one of the most important metrics of security is days of risk: How long does it take for a vendor to get a patch out to its customers? Then, once the patch is available, how long does it take to deploy it?

I think Mozilla has made the number of days between the time a vulnerability is identified and a patch is available incredibly small, and it is shrinking.

So the answer, in one word: Is Firefox more secure than Internet Explorer?
Snyder: I don't think there is a one-word answer for that question.

You can't say yes or no?
Snyder: You have to look at the days of risk. You have to look at the overall process, how responsive and how transparent the processes are.

Are there any security challenges that face Mozilla or its products?
Snyder: We have a tremendous opportunity, from our features perspective, to implement changes that will enhance the overall security of the product--for example, reducing the attack surface area by eliminating code that is either dead or infrequently used. There are some file-parsing engines or mechanisms that are present, but maybe for file formats that aren't widely in use.

If it does not add any benefit to the customers, it is probably only adding risks. If people aren't really using it, that code should go.

You dealt with security researchers at Microsoft and will deal with them at Mozilla. How do you see the community? There have been several cases where researchers have gone public with Firefox flaws.
Snyder: The security research community I see as another part of the Mozilla community. There's an opportunity for these people, if they get excited about the Mozilla project, to really contribute. They can contribute to secure design, they can suggest features, they can help us identify vulnerabilities, and they can help us test it. They can help us build tools to find more vulnerabilities. The spectrum is much broader (than with commercial products) in ways the research community can contribute to this project.

Did you use Firefox already before you came here?
Snyder: Oh yeah. I use everything. So at home, of course, I have Macs, I have PCs and machines running Linux. I have a broad range of platforms and software at home.

Are you working more hours now than you were working before?
Snyder: Probably, but I am spending a lot of time getting up to speed, and assessing where we are. It is a brand-new job for me, so you've got to jump in and get started. That means spending a lot of time talking to people and reading all the old bugs.  

More Newsmakers

[City_Of_LA]

Call me narrow-minded

But I've never seen an African-American woman in computer security. Infact, I've never seen any woman in computer security or much in software development for that matter. Good on ya babe!!

[mike.gw]

Times a-changing

When I started in the industry 22 years ago, it was dominated by white men, and the occasional white woman. Slowly, I began to notice more minority and female representation in the industry. There is still more progress that can be made, but it is good to see a more diverse workforce that better represents the country's population mix. And the African American women that I've had the pleasure to work with, tend to possess top notch skills in their specialty of the computer industry.

[GlennAl]

Perhaps you should get out more

I've worked 20+ years at a medium-to-large southern university and encountered numerous women of various ethnic backgrounds in all areas of computing, including security, software development, and networking. The more diversity, the better; so, yeah, "good on ya", but "babe!!"? (Is being a "babe" relevant in any way? OK, just kiddin'--I know you're only being "vernacular". Righteous! ;-)

[sdnative1]

Narrow-Minded or Just Ignorant?

It almost seems that you have your doubts as to the woman's ability because haven't seen a woman with that title. Secondly, there is no mention of the woman's ethnicity in the story. You just look at a photo and ASSUME she's African American? She could be part black and part white for all you know. Maybe even Puerto-Rican. You are not just a little ignorant, but VERY ignorant. This just in - it's not just a white men in high positions in America. Women are doctors, lawyers, company presidents, astronauts, and truck drivers. Your user name is "City Of LA". If you are in fact in Los Angeles, a city of such diversity, it's even more surprising. Perhaps now you won't be one just-out-from-under-a-rock, narrow-minded and ignorant people.

[brodie657]

Window?

Her name is Window and she worked for Microsoft? Thats awesome. She joins the ranks of Explorer (who works for Ford), Count Chocula (General Mills) and Dimension (Dell).

Seriously who names their kid Window and thinks its a good name? =)

[news_reader]

My parents named me News-Reader

So here I am.

[mike.gw]

It's an interesting name

It probably has an inspirational meaning to her parents. Perhaps to them, it meant "opportunity". And I'm sure the name didn't hurt when her resume landed in HR at Microsoft.

[ralfthedog]

You think her name is strange?

I still wonder what my mother was thinking when she named me after her favorite poodle.

[Penguinisto]

She just got there, guys...

How in hell can you demand an answer to the 'big' question before she even has a chance to review the codebase, internal processes, policies, and structure of the Mozilla team?

PS: Nice misleading title you got there.

/P

[Bob H in NPR]

Window from Microsoft to Mozilla

Great move for Mozilla. Microsoft seems to be leading in a new way to fight bugs. Her expertise is very welcome as a way to make security even more open sourced than it already is. As I am living in poverty, I appreciate all the good open source software out there, espacially the top rated stuff.
Bob H in NPR

[brilo]

Define Irony!??!?!?!!?? Hilarious!

After I got over the whole Window thing I got to thinking....what are her accolades again? She organized the Blue Hat convention!?!?!? This really isn't a great achievement, more or less it's a no brainer.
As for Mozilla hiring her.....are you sure you want to hire one of the Security leads from MS?? Do you really want to hire Accountants from Enron or have Charles Manson babysit for your kids? Hell no!!! Why hire a security person from MS over to Mozilla?

[pedershk]

Hrmph

It's quite obvious you have absolutely no idea what you're talking about. Microsoft has emphasized security extremely heavily over the past couple of years, and to be fair - I can't really think of a product more complex to make secure than Microsoft Windows.

Managing a team of several thousand developers and making sure they all "think, sleep and drink security" is a momentous achievement. Especially when you consider that "taking shortcuts" is almost etched into a programmer's brain in many cases.

[a85]

You're right

I agree, there has been a big shift at Microsoft and people forget that all software products are insecure. Mac OS X, Linux - all OSs and browsers are vulnerable to hackers and 'malware'. I guess people just love to hate Microsoft.

[t8]

Why switch jobs?

Because there isn't much scope for security in Windows. A security person working at MS will be under utilized

If Windows was secure, they wouldn't be able to sell you their (MS) Antivirus software and the like.

MS needs to make money somewhere. The growth of computers is not on increasing. So selling an insecure OS, then sell you a service to protect you from the vulnerabilities, is a good way to double revenue.

[t8]

Why switch jobs?

Because there isn't much scope for security in Windows. A security person working at MS will be under utilized

If Windows was secure, they wouldn't be able to sell you their (MS) Antivirus software and the like.

MS needs to make money somewhere. The growth of computers is not on increasing. So selling an insecure OS, then sell you a service to protect you from the vulnerabilities, is a good way to double revenue.

[kabweza]

She said it. Fierfox is better than IE

Maybe not in one word but she said...