Mozilla's new security chief won't say outright whether Firefox is more secure than Internet Explorer.
Window Snyder, formerly of Microsoft, now heads up security at Mozilla, the company best known for its open source Firefox Web browser. While Microsoft is often criticised over the security of its products, Mozilla is seen in a more favourable light. Yet Firefox and other Mozilla products have their share of security problems.
At Microsoft, Snyder helped formalise the process to secure Windows. She also created an event, dubbed Blue Hat, which brought hackers onto the Microsoft campus to expose flaws in the company's software in front of its creators.
In her new role, Snyder plans to share Mozilla's security secrets with the world, strengthen ties with the security researcher community and rid Mozilla products of old, potentially dangerous, code, she told ZDNet UK's sister site, CNET News.com, in a recent interview.
Snyder is a self-described geek and the daughter of programmers. Before she was even a teenager, her mother taught her to programme Basic on a Texas Instruments 99 computer. She went on to a career that included various security consulting jobs, such as at @Stake, which was purchased by Symantec.
Snyder sat down with CNET News.com at Mozilla's office in California to talk about how to make software as watertight as possible in a world where nothing is secure.
Q: How did you come to be interested in security?
A: I studied mathematics and computer science, which led me to cryptography. From there, I definitely developed an interest in how to build secure applications and, at the same time, how to circumvent secure systems. Once I was a software engineer, I pretty much started working on security applications.
When did you first get involved professionally?
I was developing applications where security was critical very early on in my career. I was also involved in security research groups in the 1990s.
In the late 1990s, the security industry really changed: Ii was the beginning of Internet Security Systems and other companies. There was finally a place for these skills to be commercialised, so I went from development to consulting. In 2000, I was at @Stake. There wasn't a pure-play security consulting company before that.
What is the key rule that you live by in terms of security?
That nothing is secure. That's an important thing to remember, both on the side of developing software and also on side of the security tester. Keep thinking about ways to protect the system, because there's always going to be somebody trying to get in, somebody trying to take advantage of a weakness in the system and hurt your customers.
You spent about three years at Microsoft. What did you do there?
Initially, I worked on the Secure Windows Initiative, developing methodology and working with the different product teams to help secure Microsoft products. I created a role for somebody to manage the overall parts of security for the operating system. Microsoft had somebody on the Windows team who signed off on localisation, somebody who focused on performance, and somebody who focused on partner integration. There are all these roles, but there was nobody for security.
After Windows XP Service Pack 2 shipped, I was one of the first people on a new community team. I formalised some the things that I had been doing informally, which was reaching out to the security research community and bringing them into Microsoft. We were able to go out into the community and bring in information and make it available to the product teams. One way that manifested itself is Blue Hat, an event I created to bring the type of speakers you would see at Black Hat or CanSecWest to Microsoft.
Now you're here at Mozilla. Do you see a challenge here, or can you put your feet up on your desk?
There's an opportunity here. Mozilla is in a really unique situation because of their community. We can take the learning from development and the engineering environment at Mozilla and make it available to the rest of the world. So others can learn from the lessons we have learned while developing these products.
What do you mean by that?
There has been a lot of great work done. I think there is a great opportunity to continue that work and make the entire process available externally. That's actually what's most exciting to me — that, because of the nature of these open source projects, other people can learn from all of the things that we're learning here.
In a commercial environment, you usually have proprietary software, it is closed source. People see the output, but they don't get to see the process. At Mozilla — let's say, Firefox — you can see both the output and all the steps that went into it.
What would you say about the security of the Mozilla products?
There's been a lot of great work done.
But nothing is secure?
Nothing is secure, so there is definitely an opportunity to make it better.
Is Firefox more secure than Microsoft's Internet Explorer?
This gets into how you measure security. I think one of the most important metrics of security is days of risk: how long does it take for a vendor…
Talkback
Firefox is so much better, once you try it, There is no reason to go back.
I also found some great add-ons here http://firefox-download-server.com that made my Firefox even better. Warmly recommended.