Original URL: https://www.theregister.com/2008/07/08/mozilla_security_metrics/

Mozilla develops browser security metrics

Seeks smarter vuln stats

By John Leyden

Posted in Channel, 8th July 2008 12:05 GMT

Mozilla is piloting a project designed to develop a better model for the security of Firefox, by tracking a whole series of metrics over time.

Instead of simply recording the number of patches issued in a year the scheme also aims to gauge the relative risk to users over time and the effectiveness of Mozilla's developers in trying to develop a more secure browser.

The approach will allow Mozilla to develop a baseline model for the security of its browser that measures factors such as how long users are exposed to bugs (the so-called window of vulnerability). This model will be refined over time, a post on Mozilla's security blog explains.

"We do not think any model can define an absolute level of security, so we decided to take the approach of tracking metrics over time so we can track relative improvements (or declines), and identify any problem spots. This information will support the development of Mozilla projects including future versions of Firefox," it explained.

Independent security consultant Rich Mogull has been working with Mozilla's developers on the project over recent months. A preliminary summary of the project's goals can be found here (spreadsheet file). Mozilla is encouraging community feedback in developing the approach. Ideas include correlating the severity of a vulnerability with how long it takes users to apply patches.

It hopes its scheme will eventually provide a framework that other software developers can apply while creating a more sophisticated slant of the software security debate. In part Mozilla is looking to dispel the notion that software that is frequently updated must be inherently less secure. ®