The Channel logo


By | John Leyden 8th July 2008 12:05

Mozilla develops browser security metrics

Seeks smarter vuln stats

Mozilla is piloting a project designed to develop a better model for the security of Firefox, by tracking a whole series of metrics over time.

Instead of simply recording the number of patches issued in a year the scheme also aims to gauge the relative risk to users over time and the effectiveness of Mozilla's developers in trying to develop a more secure browser.

The approach will allow Mozilla to develop a baseline model for the security of its browser that measures factors such as how long users are exposed to bugs (the so-called window of vulnerability). This model will be refined over time, a post on Mozilla's security blog explains.

"We do not think any model can define an absolute level of security, so we decided to take the approach of tracking metrics over time so we can track relative improvements (or declines), and identify any problem spots. This information will support the development of Mozilla projects including future versions of Firefox," it explained.

Independent security consultant Rich Mogull has been working with Mozilla's developers on the project over recent months. A preliminary summary of the project's goals can be found here (spreadsheet file). Mozilla is encouraging community feedback in developing the approach. Ideas include correlating the severity of a vulnerability with how long it takes users to apply patches.

It hopes its scheme will eventually provide a framework that other software developers can apply while creating a more sophisticated slant of the software security debate. In part Mozilla is looking to dispel the notion that software that is frequently updated must be inherently less secure. ®

comment icon Read 6 comments on this article alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe