Learning From Mozilla Security

[clevin]

http://www.internetnews.com/security/article.php/3817511/Learning+From+Mozilla+Security.htm

A big part of how Mozilla secures its software is by way of testing often, and regularly, with a number of different techniques and tools. According to Nightingale, Mozilla runs 90,000 automated tests, using eight different test frameworks (called "harnesses") on four platforms, at least 20 times a day.

Mozilla has been criticized by some security vendors as having more bugs than other browser vendors.

But Nightingale argued that the bug count is the industry's worst security metric of all. In his view, focusing on bug counting creates perverse incentives for security. Instead, Nightingale suggests that more meaningful metrics are measuring the number of days users are exposed to risk as well as the average time it takes to deploy fixes.

To Nightingale, good security is a feedback loop, where at every step of the process, if something breaks or goes wrong, the question 'Why?' must be asked -- and answered.

"At the end of the day, we're a non-profit project trying to help build a better Internet," Nightingale told InternetNews.com. "If giving away those processes and tools helps other projects keep their users safe, that's great news for us."

 

[Rodimus Prime]

I agree the way they count problems is bad.

A better way to look at it is how many Zero day security risk something has and how long does it take to fix them.

Microsoft if they are hit with a Zero day they get the fix out ASAP or if one of their security holes they found internally is found out about in the public you see a fix out with in 24 hours.

 

[clevin]

the other problem I see is that its hard to guarantee each browser makers disclose all type of security threat as mozilla does.