Security chief Window Snyder will detail the "gory details" of how Mozilla gets security donesomething you dont get out of a traditional vendor, she told eWEEK in an interview. "[At] Mozilla, the whole worlds watchingwe couldnt hide if we wanted to," Snyder said.
Before she came to work for Mozilla, Snyder was a security consultant. She said she saw people constantly reinventing the wheel in terms of security testing processes, tools or how to get a baseline. One thing she came away with: Smaller environments that cant afford a human security professional are struggling to get security information.
So when she got to Mozilla, Snyder decided to make things better for those frantic people. "At Mozilla, since the whole world can see what were doing, [we thought] maybe we can package it up, make it available, get some feedback on it, have people contribute, and have other projects use them," she said.
"Thats our hope, that people might find it useful," Snyder said.
A fuzzer is a tool that sends data to an application in ways that the application might not expect. A fuzzer can run through test casesin some cases millions of test caseswith combinations of data and fields manipulated in many ways. The tool by itself isnt dangerous, but it can be used to find where unexpected behavior is in input validationa useful clue to identifying a vulnerability.
Mozilla also plans to release a protocol fuzzer for HTTP on the client side and a fuzzer for FTP, also from the client side, in a few months, and still more tools after that.
Click here to read about serious URI-handling holes in Firefox that, if left unpatched, leave a system open to hijacking.
Only one company thanked the open-source foundation. None has given Mozilla the feedback it would be grateful to hear regarding whether the tool was useful, Snyder said.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.