Security experts at BlackBerry and Mozilla have teamed up to develop a testing tool aimed at discovering and fixing software vulnerabilities in Web browsers.
The two companies are working together to develop “Peach,” a free testing tool, to improve Web browsers security. Peach was created by Michael Eddington of Déjà vu Security in 2004 and has been under active development since.
According to Adrian Stone, director of security response and threat analysis at BlackBerry, the idea for Mozilla and BlackBerry to work together on Peach was born from talks between employees of the companies at the CanSecWest Applied Security Conference in Vancouver. Peach is a fuzzing tool, and works by utilizing fault injection to identify security risks before they impact users.
“One of the main benefits of fuzzing is the automatic fault injection, which is kind of by nature what you are doing–manipulating data and sending tons of different variations into a set of code,” Michael Coates, Mozilla’s director of security assurance, told eWEEK.
“And your goal there is to figure out how did that code fail? How did the developer miss something when he gets a particular type of crazy malformed data? And the benefit of using fuzzing is you are trying many different iterations…that would never be possible by hand, so you flush out these rather esoteric issues that you couldn’t have discovered” through other forms of security testing.
The plan, Stone and Coates explained, is to add new file formats for fuzzing HTML5 features as well as to build out the framework so that it scales more readily. Already, Mozilla has used Peach to perform fuzz testing against HTML5 features, including multimedia APIs like WebGL and most recently protocols used in WebRTC. According to BlackBerry, the collaboration with Mozilla fits into its existing security processes and infrastructure, as the company regularly uses third-party fuzzers as well as its own proprietary tools for security resting.
Within the next year, the companies plan to release more information about what they did, how they used the tool and the lessons learned along the way.
“Security is a challenging area and when you get similar minds thinking about these problems to work together, it’s a huge benefit,” Coates said.
Separate from the announcement of their partnership with BlackBerry, Mozilla also discussed plans for Minion, an open-source security project aimed at application developers and security professionals. Minion is being developed by the Security Automation team at Mozilla to enable “integration and adoption of automated security testing,” and has been under development for the past year, Mozilla noted in a blog post.
“The platform allows any team to set up the basic requirements to perform automated scanning and testing of Websites and services by providing sensible defaults for plug-ins that enable scanning of many types of Web applications and services,” according to the blog.
The goal is to make it easier for Web developers to do security testing of their Web applications, Coates said.
“What we’ve found is with Web application security testing, in most situations there is a need for a security professional to be involved to either run the tool and analyze the results [or] do the testing themselves, and that doesn’t scale,” he said.
“Not all Web developers are security experts. What we’ve done is we’re working to build a tool that gives developers something that is easy to use, where they understand the output, and they get results that they can use—that are actionable.”