Forgot your password?
typodupeerror
Mozilla The Internet Security

Mozilla Launches Security Metrics Project 18

Posted by Soulskill
from the how-do-you-measure-transparancy dept.
Earthweb passes along a ZDNet article which notes, "In partnership with indie security consultant Rich Mogull, Mozilla has launched a valuable Security Metrics Project that — we can only hope — could help to put an end to the silly notion that patch-counting helps to determine a product's security posture. The idea is to develop a metrics model that goes beyond simple bug counts to reflect accurately the effectiveness of secure development efforts and the relative risk to users over time. Mogull has released a spreadsheet (.xls) with a preliminary version of the model and Mozilla's Window Snyder is actively seeking feedback to make the project open and meaningful."
This discussion has been archived. No new comments can be posted.

Mozilla Launches Security Metrics Project

Comments Filter:
  • Ten Fucking Days (Score:2, Interesting)

    by Anonymous Coward

    Where's the fix for the suspiciously-timed Firefox 3 (and 2) code execution bug? That would boost security.

  • Looks like they're depending a lot on feedback. From paid consultants?
  • by Anonymous Coward
    I wish they'd pick a different name. Everytime I look at it, I think of Security Metrics [securitymetrics.com] (one of the we'll run Nessus against your site for a fee providers).
  • by Anonymous Coward

    If Mozilla is so committed to open standards, then why didn't they ask Mogull to publish an ODF version of the spreadsheet, even if only alongside the Microsoft Office binary file?

  • Hmmm (Score:3, Interesting)

    by Anonymous Coward on Saturday July 05, 2008 @05:09AM (#24064781)

    So, we don't like the current stats because they make us look bad; so lets try to create a new "standard" which will make us look better? A standard that can only really be applied to open source, because you can't see the bug count in closed source?

    Wow. That really smells.

    • Re: (Score:2, Funny)

      by awrowe (1110817)
      Why isn't there a moderation option +1 Cynical?
    • Re:Hmmm (Score:4, Insightful)

      by hedwards (940851) on Saturday July 05, 2008 @05:36AM (#24064837)

      The current standards, in addition to making all of the parties look bad, are incredibly misleading.

      Patch counts say very little about the actual security of a program, it just says that X number have been patch out of a total of Y. And usually those will be broken up into categories roughly be severity.

      The problem is that vulnerabilities aren't that straight forward. For instance where do you put an incredibly difficult to exploit bug which also grants complete control when done correctly? Is that severe, minor or do you split the difference? It's not particularly clear and which it is likely depends upon what the computer is used for.

      I'm positive that no solution is perfect, but at least with a decent metric it's a bit easier to shame those browsers which are truly insecure rather than those with a huge number of patches left to create.

      • Like which browsers are "truly insecure"? All of them on this round are turning out to be fairly decent these days.

        And Microsoft has been rather committed to security even issuing a security update for IE8 Beta 1, which really they shouldn't have to do.
    • by wolferz (1173471)
      IF it is truly an "open" project then IN THEORY the end result would not be biased...

      ...but then again it's the opensource/mozilla fanboys and the anti-ms fanboys that are gonna be contributing to this more than any other groups. Thus it will probably be more biased than it would have if Mozilla had kept it top secret.
    • Re: (Score:1, Informative)

      by Anonymous Coward

      "So, we don't like the current stats because they make us look bad; so lets try to create a new "standard" which will make us look better? A standard that can only really be applied to open source, because you can't see the bug count in closed source?

      Wow. That really smells." - by Anonymous Coward on Saturday July 05, @05:09AM (#24064781)

      Agreed, 110%... instead of WASTING TIME doing that (well, there is no guarantee that Rich Mogull can actually DO anything more than that, let alone code to help the Mozilla dev team, OR even actively test the program trying to screw it up, finding another form of 'bug', not just security ones), fix the known unpatched security issues & you do NOT have to go about this b.s., period...

      AS IT STANDS, NOW TODAY/CURRENTLY?

      -----
      SECUNIA DATA ON BROWSER SECURITY (dated 07/04/2008 - "4th July U.S.A."):

      -----

      Opera

  • 'open' will be a very important condition.

  • Noted Inventor Benjamin Franklyn was once asked how best to rank 2 products. The response went something like, "Create a column of the all benefits of both products. For each product, attach another column. Go through the list and place a check mark in the corresponding box. The product with most checks is the better product."

    I can see where applying this to Safari, Opera, and IE, would be a good thing. But I also think that making it public would start a trend that would be very constructive from a user

Prototype designs always work. -- Don Vonada

Working...