Newsmaker: Mozilla looks to Microsoft for security

Mozilla's new security chief won't say outright whether Firefox is more secure than Internet Explorer.

Window Snyder, formerly of Microsoft, now heads up security at Mozilla, the company best known for its open-source Firefox Web browser. While Microsoft is often criticized over the security of its products, Mozilla is seen in a more favorable light. Yet Firefox and other Mozilla products have their share of security problems.

At Microsoft, Snyder helped formalize the process to secure Windows. She also created an event, dubbed Blue Hat, that brought hackers onto the Microsoft campus to expose flaws in the company's software in front of its creators.

In her new role, Snyder plans to share Mozilla's security secrets with the world, strengthen ties with the security researcher community and rid Mozilla products of old, potentially dangerous, code, she told CNET News.com in a recent interview.

Snyder is a self-described geek and the daughter of programmers. Before she was even a teenager, her mom taught her to program Basic on a Texas Instruments 99 computer. She went on to a career that included various security consulting jobs, such as at @Stake, which was purchased by Symantec.

Snyder sat down with CNET News.com at Mozilla's office in Mountain View, Calif., to talk about how to make software as watertight as possible in a world where nothing is secure.

Q: How did you come to be interested in security?
Snyder: I studied mathematics and computer science, which led me to cryptography. From there, I definitely developed an interest in how to build secure applications, and, at the same time, how to circumvent secure systems. Once I was a software engineer, I pretty much started working on security applications.

If (code) does not add any benefit to the customers, it is probably only adding risks. If people aren't really using it, that code should go.

When did you first get involved professionally?
Snyder: I was developing applications where security was critical very early on in my career. I was also involved in security research groups in the '90s.

In the late '90s is when the security industry really changed: It was the beginning of Internet Security Systems and other companies. There was finally a place for these skills to be commercialized, so I went from development to consulting. In 2000, I was at @Stake. There wasn't a pure-play security consulting company before that.

What is the key rule that you live by in terms of security?
Snyder: That nothing is secure. That's an important thing to remember, both on the side of developing software and also on side of the security tester. Keep thinking about ways to protect the system, because there's always going to be somebody trying to get in, somebody trying to take advantage of a weakness in the system and hurt your customers.

You spent about three years at Microsoft. What did you do there?
Snyder: Initially, I worked on the Secure Windows Initiative, developing methodology and working with the different product teams to help secure Microsoft products. I created a role for somebody to manage the overall parts of security for the operating system. Microsoft had somebody on the Windows team who signed off on localization, somebody who focused on performance, and somebody who focused on partner integration. There are all these roles, but there was nobody for security.

After Windows XP Service Pack 2 shipped, I was one of the first people on a new community team. I formalized some the things that I had been doing informally, which was reaching out to the security research community and bringing them into Microsoft. We were able to go out into the community and bring in information and make it available to the product teams. One way that manifested itself is Blue Hat, an event I created to bring the type of speakers you would see at Black Hat or CanSecWest to Microsoft.

Now you're here at Mozilla. Do you see a challenge here, or can you put your feet up on your desk?
Snyder: There's an opportunity here. Mozilla is in a really unique situation because of their community. We can take the learning from development and the engineering environment at Mozilla and make it available to the rest of the world. So others can learn from the lessons we have learned while developing these products.

What do you mean by that?
Snyder: There has been a lot of great work done. I think there is a great opportunity to continue that work and make the entire process available externally. That's actually what's most exciting to me--that, because of the nature of these open-source projects, other people can learn from all of the things that we're learning here.

In a commercial environment, you usually have proprietary software, it is closed source. People see the output, but they don't get to see the process. At Mozilla--let's say, Firefox--you can see both the output and all the steps that went into it.

What would you say about the security of the Mozilla products?
Snyder: There's been a lot of great work done.

But nothing is secure?
Snyder: Nothing is secure, so there definitely is an opportunity to make it better.

More Newsmakers

[City_Of_LA]

Call me narrow-minded

But I've never seen an African-American woman in computer security. Infact, I've never seen any woman in computer security or much in software development for that matter. Good on ya babe!!

[mike.gw]

Times a-changing

When I started in the industry 22 years ago, it was dominated by white men, and the occasional white woman. Slowly, I began to notice more minority and female representation in the industry. There is still more progress that can be made, but it is good to see a more diverse workforce that better represents the country's population mix. And the African American women that I've had the pleasure to work with, tend to possess top notch skills in their specialty of the computer industry.

[GlennAl]

Perhaps you should get out more

I've worked 20+ years at a medium-to-large southern university and encountered numerous women of various ethnic backgrounds in all areas of computing, including security, software development, and networking. The more diversity, the better; so, yeah, "good on ya", but "babe!!"? (Is being a "babe" relevant in any way? OK, just kiddin'--I know you're only being "vernacular". Righteous! ;-)

[sdnative1]

Narrow-Minded or Just Ignorant?

It almost seems that you have your doubts as to the woman's ability because haven't seen a woman with that title. Secondly, there is no mention of the woman's ethnicity in the story. You just look at a photo and ASSUME she's African American? She could be part black and part white for all you know. Maybe even Puerto-Rican. You are not just a little ignorant, but VERY ignorant. This just in - it's not just a white men in high positions in America. Women are doctors, lawyers, company presidents, astronauts, and truck drivers. Your user name is "City Of LA". If you are in fact in Los Angeles, a city of such diversity, it's even more surprising. Perhaps now you won't be one just-out-from-under-a-rock, narrow-minded and ignorant people.

[brodie657]

Window?

Her name is Window and she worked for Microsoft? Thats awesome. She joins the ranks of Explorer (who works for Ford), Count Chocula (General Mills) and Dimension (Dell).

Seriously who names their kid Window and thinks its a good name? =)

[news_reader]

My parents named me News-Reader

So here I am.

[mike.gw]

It's an interesting name

It probably has an inspirational meaning to her parents. Perhaps to them, it meant "opportunity". And I'm sure the name didn't hurt when her resume landed in HR at Microsoft.

[ralfthedog]

You think her name is strange?

I still wonder what my mother was thinking when she named me after her favorite poodle.

[Penguinisto]

She just got there, guys...

How in hell can you demand an answer to the 'big' question before she even has a chance to review the codebase, internal processes, policies, and structure of the Mozilla team?

PS: Nice misleading title you got there.

/P

[Bob H in NPR]

Window from Microsoft to Mozilla

Great move for Mozilla. Microsoft seems to be leading in a new way to fight bugs. Her expertise is very welcome as a way to make security even more open sourced than it already is. As I am living in poverty, I appreciate all the good open source software out there, espacially the top rated stuff.
Bob H in NPR

[brilo]

Define Irony!??!?!?!!?? Hilarious!

After I got over the whole Window thing I got to thinking....what are her accolades again? She organized the Blue Hat convention!?!?!? This really isn't a great achievement, more or less it's a no brainer.
As for Mozilla hiring her.....are you sure you want to hire one of the Security leads from MS?? Do you really want to hire Accountants from Enron or have Charles Manson babysit for your kids? Hell no!!! Why hire a security person from MS over to Mozilla?

[pedershk]

Hrmph

It's quite obvious you have absolutely no idea what you're talking about. Microsoft has emphasized security extremely heavily over the past couple of years, and to be fair - I can't really think of a product more complex to make secure than Microsoft Windows.

Managing a team of several thousand developers and making sure they all "think, sleep and drink security" is a momentous achievement. Especially when you consider that "taking shortcuts" is almost etched into a programmer's brain in many cases.

[a85]

You're right

I agree, there has been a big shift at Microsoft and people forget that all software products are insecure. Mac OS X, Linux - all OSs and browsers are vulnerable to hackers and 'malware'. I guess people just love to hate Microsoft.

[t8]

Why switch jobs?

Because there isn't much scope for security in Windows. A security person working at MS will be under utilized

If Windows was secure, they wouldn't be able to sell you their (MS) Antivirus software and the like.

MS needs to make money somewhere. The growth of computers is not on increasing. So selling an insecure OS, then sell you a service to protect you from the vulnerabilities, is a good way to double revenue.

[t8]

Why switch jobs?

Because there isn't much scope for security in Windows. A security person working at MS will be under utilized

If Windows was secure, they wouldn't be able to sell you their (MS) Antivirus software and the like.

MS needs to make money somewhere. The growth of computers is not on increasing. So selling an insecure OS, then sell you a service to protect you from the vulnerabilities, is a good way to double revenue.

[kabweza]

She said it. Fierfox is better than IE

Maybe not in one word but she said...