Mozilla and BlackBerry throwing together their advanced threat detection tools to improve a popular open source 'fuzzing' tool, which the pair will use to find and squish new bugs in browsers.
The two companies will work on Peach v2, a version of the Peach open source fuzzing framework that helps with large scale automated testing. Fuzzing throws unexpected code repeatedly at software to cause a crash and uncover breakages that could be exploited by hackers. The idea behind it is to find and remove the bugs before they reach the public.
Mozilla's director of security assurance Michael Coates notes in the announcement that Mozilla already uses Peach to fuzz test HTML5 features such as image, video and audio formats. HTML5 of course is important not only for Mozilla's desktop and mobile browsers, but also Firefox OS, and this type of testing has already proved effective in helping secure both, according to Coates.
BlackBerry will bring its own experience to the effort, and, according to Coates, regularly uses third-party fuzzers and its own proprietary fuzzing tools, static analysis and vulnerability research to uncover security issues "across its portfolio of products and services".
"BlackBerry has long relied on large-scale automated testing to identify security issues across its platform. The collaboration with Mozilla plugs directly into BlackBerry's existing security processes and infrastructure," Coates said.
The research partnership though will focus purely advancing Peach fuzzing software for testing Web browsers and the partnership will benefit mobile and desktop customers, according to Adrian Stone, director of BlackBerry security response and threat analysis.
"Security is an industry-wide challenge that cannot be solved in a vacuum, and that is why BlackBerry and Mozilla security researchers are working together to develop new and innovative tools for detecting browser threats before they can affect both mobile and desktop customers," Stone said.
Mozilla's Coates also plugged the 0.3 release of Minion, a security testing platform under development by Mozilla's security automation team that helps scan and test websites and services like plugins.
According to Coates, Minion means that developers won't need to rely on a security professional to validate the results of tests.
"Many security tools generate excessive amounts of data, including incorrectly identified issues that require many hours of specialized research by a security professional. Minion favors accuracy and simplicity and is designed so every developer, regardless of security expertise, can use this platform to increase the security of their applications," Coates wrote.