Mozilla Foundation developing a model for a security metric
The Mozilla Foundation plans to develop a better model for gauging the security of its Firefox web browser. In contrast to Microsoft, the number of officially provided security updates is not to be the sole parameter used. According to the method in which Microsoft measures security, an absence of patches would equate to a high degree of security. The Microsoft approach is further illustrated by its claim that Vista is still more secure than other operating systems. In contrast to this approach, the Mozilla Foundation wants its evaluation to include a variety of factors involved in the development process and the techniques and tools used in it. The sequence of the process from the time a security vulnerability is reported until a patch is distributed is also to be analysed.
One of the main factors cited is how long Firefox users are exposed to a threat while a hole remains unpatched. The developers say they want to use the security metric derived from the results to identify any problematic stage in the development and patch process. The first approaches to this model were developed together with the security specialist Rich Mogull, who provides a rudimentary Excel file, in which objectives and parameters are defined, for downloading and discussion.
Academics at the Swiss Federal Institute of Technology in Zurich have already presented a new operating systems security metric at Black Hat 2008, though it does specifically relate to operating systems. Their model doesn’t just count the number of holes and note how critical they are, it also determines the "zero-day patch rate" to show whether a manufacturer is able to provide a patch at the time the existence of a hole becomes known.
- Mozilla Security Metrics Project, announcement by the Mozilla Foundation
- Critics say that Microsoft compares apples and browsers in its security study, heise Security report.