This has already been reported in several places today, but I felt like sharing this anyway since I feel most people don’t understand what a huge step this is. To sum it up: the Firefox developers are taking a huge step forward when it comes to openness about security. Here’s what is going to happen:
- About a month ago the Mozilla Foundation announced that they would start measuring how security issues were handled. Window Snyder put it this way:
“We do not think any model can define an absolute level of security, so we decided to take the approach of tracking metrics over time so we can track relative improvments (or declines), and identify problem spots.”
- The second this that is happening is, in my opinion, the most fundamental change: an outside company has been hired to do a review of the Firefox code to find attack vectors and other weaknesses. While this is not uncommon, the important thing to note is that all the results will become public:
“We want security researchers to get an idea of the level of threats we tolerate. I think it’s useful for the security research community to see what a complex product like Firefox looks like.
- And as an added bonus, the Mozilla foundation will hire a training company to develop training about secure programming, which will be required training for Firefox developers. Again, all information will become public:
In Snyder’s mind, the training information will be incredibly useful for an organization without the budget for a dedicated security team.
All the slides from the classes will be released along with the syllabus and classroom exercises. “We’ll be delivering the training in-house to our developers, then we’ll make the material available broadly,” Snyder said.