September 21, 2006 4:00 AM PDT
Newsmaker: Mozilla looks to Microsoft for securitySee all Newsmakers
- Related Stories
Firefox update patches security holesSeptember 15, 2006
Microsoft offers helping hand to FirefoxAugust 24, 2006
Mozilla delays Firefox 2.0 releaseAugust 16, 2006
Hackers work to exploit latest Firefox flawSeptember 13, 2005
Bug hunters, software firms in uneasy allianceSeptember 6, 2005
Microsoft wants to meet more hackersAugust 1, 2005
Window Snyder, formerly of Microsoft, now heads up security at Mozilla, the company best known for its open-source Firefox Web browser. While Microsoft is often criticized over the security of its products, Mozilla is seen in a more favorable light. Yet Firefox and other Mozilla products have their share of security problems.
At Microsoft, Snyder helped formalize the process to secure Windows. She also created an event, dubbed Blue Hat, that brought hackers onto the Microsoft campus to expose flaws in the company's software in front of its creators.
In her new role, Snyder plans to share Mozilla's security secrets with the world, strengthen ties with the security researcher community and rid Mozilla products of old, potentially dangerous, code, she told CNET News.com in a recent interview.
Snyder is a self-described geek and the daughter of programmers. Before she was even a teenager, her mom taught her to program Basic on a Texas Instruments 99 computer. She went on to a career that included various security consulting jobs, such as at @Stake, which was purchased by Symantec.
Snyder sat down with CNET News.com at Mozilla's office in Mountain View, Calif., to talk about how to make software as watertight as possible in a world where nothing is secure.
Q: How did you come to be interested in security?
Snyder: I studied mathematics and computer science, which led me to cryptography. From there, I definitely developed an interest in how to build secure applications, and, at the same time, how to circumvent secure systems. Once I was a software engineer, I pretty much started working on security applications.
When did you first get involved professionally?
Snyder: I was developing applications where security was critical very early on in my career. I was also involved in security research groups in the '90s.
In the late '90s is when the security industry really changed: It was the beginning of Internet Security Systems and other companies. There was finally a place for these skills to be commercialized, so I went from development to consulting. In 2000, I was at @Stake. There wasn't a pure-play security consulting company before that.
What is the key rule that you live by in terms of security?
Snyder: That nothing is secure. That's an important thing to remember, both on the side of developing software and also on side of the security tester. Keep thinking about ways to protect the system, because there's always going to be somebody trying to get in, somebody trying to take advantage of a weakness in the system and hurt your customers.
You spent about three years at Microsoft. What did you do there?
Snyder: Initially, I worked on the Secure Windows Initiative, developing methodology and working with the different product teams to help secure Microsoft products. I created a role for somebody to manage the overall parts of security for the operating system. Microsoft had somebody on the Windows team who signed off on localization, somebody who focused on performance, and somebody who focused on partner integration. There are all these roles, but there was nobody for security.
After Windows XP Service Pack 2 shipped, I was one of the first people on a new community team. I formalized some the things that I had been doing informally, which was reaching out to the security research community and bringing them into Microsoft. We were able to go out into the community and bring in information and make it available to the product teams. One way that manifested itself is Blue Hat, an event I created to bring the type of speakers you would see at Black Hat or CanSecWest to Microsoft.
Now you're here at Mozilla. Do you see a challenge here, or can you put your feet up on your desk?
Snyder: There's an opportunity here. Mozilla is in a really unique situation because of their community. We can take the learning from development and the engineering environment at Mozilla and make it available to the rest of the world. So others can learn from the lessons we have learned while developing these products.
What do you mean by that?
Snyder: There has been a lot of great work done. I think there is a great opportunity to continue that work and make the entire process available externally. That's actually what's most exciting to me--that, because of the nature of these open-source projects, other people can learn from all of the things that we're learning here.
In a commercial environment, you usually have proprietary software, it is closed source. People see the output, but they don't get to see the process. At Mozilla--let's say, Firefox--you can see both the output and all the steps that went into it.
What would you say about the security of the Mozilla products?
Snyder: There's been a lot of great work done.
But nothing is secure?
Snyder: Nothing is secure, so there definitely is an opportunity to make it better.
23 commentsJoin the conversation! Add your comment