Mozilla looks to Microsoft for security

Q&A Window Snyder, formerly of Microsoft, now heads up security at Mozilla, the company best known for its open-source Firefox Web browser.
Written by Joris Evers, Contributor
Mozilla's new security chief won't say outright whether Firefox is more secure than Internet Explorer.

Window Snyder, formerly of Microsoft, now heads up security at Mozilla, the company best known for its open-source Firefox Web browser. While Microsoft is often criticized over the security of its products, Mozilla is seen in a more favorable light. Yet Firefox and other Mozilla products have their share of security problems.

At Microsoft, Snyder helped formalize the process to secure Windows. She also created an event, dubbed Blue Hat, that brought hackers onto the Microsoft campus to expose flaws in the company's software in front of its creators.

In her new role, Snyder plans to share Mozilla's security secrets with the world, strengthen ties with the security researcher community and rid Mozilla products of old, potentially dangerous, code, she told CNET News.com in a recent interview.

Snyder is a self-described geek and the daughter of programmers. Before she was even a teenager, her mom taught her to program Basic on a Texas Instruments 99 computer. She went on to a career that included various security consulting jobs, such as at @Stake, which was purchased by Symantec.

Snyder sat down with CNET News.com at Mozilla's office in Mountain View, Calif., to talk about how to make software as watertight as possible in a world where nothing is secure.

Q: How did you come to be interested in security?
Snyder: I studied mathematics and computer science, which led me to cryptography. From there, I definitely developed an interest in how to build secure applications, and, at the same time, how to circumvent secure systems. Once I was a software engineer, I pretty much started working on security applications.

If (code) does not add any benefit to the customers, it is probably only adding risks. If people aren't really using it, that code should go.

When did you first get involved professionally?
Snyder: I was developing applications where security was critical very early on in my career. I was also involved in security research groups in the '90s.

In the late '90s is when the security industry really changed: It was the beginning of Internet Security Systems and other companies. There was finally a place for these skills to be commercialized, so I went from development to consulting. In 2000, I was at @Stake. There wasn't a pure-play security consulting company before that.

What is the key rule that you live by in terms of security?
Snyder: That nothing is secure. That's an important thing to remember, both on the side of developing software and also on side of the security tester. Keep thinking about ways to protect the system, because there's always going to be somebody trying to get in, somebody trying to take advantage of a weakness in the system and hurt your customers.

You spent about three years at Microsoft. What did you do there?
Snyder: Initially, I worked on the Secure Windows Initiative, developing methodology and working with the different product teams to help secure Microsoft products. I created a role for somebody to manage the overall parts of security for the operating system. Microsoft had somebody on the Windows team who signed off on localization, somebody who focused on performance, and somebody who focused on partner integration. There are all these roles, but there was nobody for security.

After Windows XP Service Pack 2 shipped, I was one of the first people on a new community team. I formalized some the things that I had been doing informally, which was reaching out to the security research community and bringing them into Microsoft. We were able to go out into the community and bring in information and make it available to the product teams. One way that manifested itself is Blue Hat, an event I created to bring the type of speakers you would see at Black Hat or CanSecWest to Microsoft.

Now you're here at Mozilla. Do you see a challenge here, or can you put your feet up on your desk?
Snyder: There's an opportunity here. Mozilla is in a really unique situation because of their community. We can take the learning from development and the engineering environment at Mozilla and make it available to the rest of the world. So others can learn from the lessons we have learned while developing these products.

What do you mean by that?
Snyder: There has been a lot of great work done. I think there is a great opportunity to continue that work and make the entire process available externally. That's actually what's most exciting to me--that, because of the nature of these open-source projects, other people can learn from all of the things that we're learning here.

In a commercial environment, you usually have proprietary software, it is closed source. People see the output, but they don't get to see the process. At Mozilla--let's say, Firefox--you can see both the output and all the steps that went into it.

What would you say about the security of the Mozilla products?
Snyder: There's been a lot of great work done.

But nothing is secure?
Snyder: Nothing is secure, so there definitely is an opportunity to make it better.

Is Firefox more secure than Microsoft's Internet Explorer?
Snyder: This gets into how you measure security. I think one of the most important metrics of security is days of risk: How long does it take for a vendor to get a patch out to its customers? Then, once the patch is available, how long does it take to deploy it?

I think Mozilla has made the number of days between the time a vulnerability is identified and a patch is available incredibly small, and it is shrinking.

So the answer, in one word: Is Firefox more secure than Internet Explorer?
Snyder: I don't think there is a one-word answer for that question.

You can't say yes or no?
Snyder: You have to look at the days of risk. You have to look at the overall process, how responsive and how transparent the processes are.

Are there any security challenges that face Mozilla or its products?
Snyder: We have a tremendous opportunity, from our features perspective, to implement changes that will enhance the overall security of the product--for example, reducing the attack surface area by eliminating code that is either dead or infrequently used. There are some file-parsing engines or mechanisms that are present, but maybe for file formats that aren't widely in use.

If it does not add any benefit to the customers, it is probably only adding risks. If people aren't really using it, that code should go.

You dealt with security researchers at Microsoft and will deal with them at Mozilla. How do you see the community? There have been several cases where researchers have gone public with Firefox flaws.
Snyder: The security research community I see as another part of the Mozilla community. There's an opportunity for these people, if they get excited about the Mozilla project, to really contribute. They can contribute to secure design, they can suggest features, they can help us identify vulnerabilities, and they can help us test it. They can help us build tools to find more vulnerabilities. The spectrum is much broader (than with commercial products) in ways the research community can contribute to this project.

Did you use Firefox already before you came here?
Snyder: Oh yeah. I use everything. So at home, of course, I have Macs, I have PCs and machines running Linux. I have a broad range of platforms and software at home.

Are you working more hours now than you were working before?
Snyder: Probably, but I am spending a lot of time getting up to speed, and assessing where we are. It is a brand-new job for me, so you've got to jump in and get started. That means spending a lot of time talking to people and reading all the old bugs.

Editorial standards