March 1, 2008
In 2006, Mozilla’s Firefox Internet browser boasted a mere nine days of vulnerability (the time between when a security threat is discovered and when it’s fixed) compared with Internet Explorer’s whopping 284 days. And while the latter reigns as the most popular browser for U.S. users, it’s clear that Mountain View, California-based Mozilla is working feverishly to ensure that cybersurfers using its system are kept safe from hackers, phishers, and other online threats.
Leading that charge is Window Snyder, 32, a security guru who for three years served as a senior security strategist at Microsoft, and who prior to that was principal and founder of the New York-based security services firm Matasano. Since 2006 she’s filled the position of head of security at Mozilla, a firm that claims about 18% of the online browser market share worldwide, and as much as 28% to 45% in Europe.
An avid blogger whose contributions can be found on both her company security blog (http://blog.mozilla.com/security) and her personal site (www.dec.net/ws), Snyder’s day starts with a 7:00 a.m. perusal of the latest security news and e-mail.
“I try to read everything that’s being published about Firefox and online security issues,” says Snyder, whose job also includes following up on the progress of security bug remediation, working closely with engineers to identify ways to make Firefox more secure overall, keeping users up-to-date on such developments, and speaking at international conferences on topics such as software and Internet security.
Where Firefox differs from browsers such as Internet Explorer, says Snyder, is in its open-source status, which allows users to read and make changes to its programming code. “About 20,000 volunteers worldwide download new builds every night and contribute to our security efforts by testing software before it’s released,” she says. “Security researchers in the Mozilla community contribute ideas, write code, and help identify potential security issues.”
Those volunteers help Mozilla break through one of the major online security barriers that most vendors deal with: acknowledging security breaches and quickly coming up with patches to fix them. “Most software vendors don’t want to talk about the gory details of security and the creation of patches,” says Snyder. “Because we’re open, we can share all of the details and past projects with our team members and volunteers, who can then leverage that information without having to always reinvent the wheel.”
But convincing the industry that “open” will somehow translate into “more secure” isn’t always easy. “The industry tends to be closed when it comes to security issues, feeling that it will just blow over,” she explains. “Based on my past experience working in other commercial software environments, I can tell you that the more open you are with people, the more trust you build in your products and services.”
Snyder, who co-wrote Threat Modeling, an online security guidebook that’s used by software engineers worldwide, says the future will find Mozilla expanding its open source strategy and striving to keep its days of vulnerability to users as low as possible for all Mozilla projects. “Expect to