When former Microsoft senior security strategist Window Snyder made her big move to Mozilla a couple of weeks ago, everybody wanted to know if her new email address would be "[email protected]" Now that Snyder is in her new digs, she is busy laying the groundwork for new security initiatives for the open source software company.
Mozilla's hiring of Snyder as its security guru (her title is "chief security something") is considered a coup for the open source software organization. Its Firefox browser has become a respectable contender to Microsoft's Internet Explorer, and having Snyder on board could give Firefox an even stronger security story. Snyder, whose most recent stint was founder and CTO of Matasano Security, headed up Microsoft's Windows XP SP2 and Windows Server 2003 security efforts and is credited for helping Microsoft officially "reach out" to security researchers.
In an interview with Dark Reading this week, Snyder said Mozilla has "some things in the works" akin to Microsoft's Blue Hat summit, where researchers are invited to Redmond to exploit flaws in Microsoft's software. And she says she hopes to position Mozilla as the model for how to handle bugs, and how to avoid creating them during development. "The whole world can give us feedback on the processes," Snyder says. "I can see this being a model for all security problems."
Snyder says Mozilla's open community approach to bugs will help speed the process of fixing them. The open source community will help "identify the bugs, report them, help us evaluate the extent of the problem, come up with a fix, develop patches, and document them," she says. "And we [will] turn around patches in days, not months."
With the help of the open source community, Mozilla can spend more time analyzing its security efforts. "[Community members] can check our work, and that's powerful for us," Snyder says. "It keeps us focused on trying to do the right thing and getting feedback from the community."
Another focus at Mozilla, she says, is ensuring that new features don't raise the risk profile of a package. "If there are infrequently used features, you can strip [those] out to minimize attacks in that area. So, if a vulnerability is found, it won't impact everyone with that product." The idea isn't to add a feature that fixes a single bug, but to create features that eliminate an entire class of vulnerabilities, she says.
And unlike commercial software companies, "we are fixing everything that comes in front of us," she says.
Snyder admits commercial vendors don't have this luxury, given their cost constraints and the need to balance risk with the cost of the fix. "But a low risk today could be a high risk tomorrow."
"[Commercial vendors] always have to compromise between security and scheduling, security and application compatibility, and features," she says.
The jump from Microsoft to Matasano to Mozilla has created a "best of all worlds" for Snyder. She's back on the product side, as she was at Microsoft, but she is still tied closely to researchers such as those at Matasano. So what attracted her to Mozilla? "It's always been an area I have had an affinity with -- my entire user experience as a geek, with Linux, OpenBSD, etc.," she says. "I enjoyed working at Microsoft, and now at Mozilla, for different reasons. But they both have very smart people working on very hard problems."
"She's been an advocate for open and transparent security processes, which is something we believe in deeply here at Mozilla," wrote Mike Schroepfer, vice president of engineering at Mozilla, in his blog.
Snyder says her friends at Microsoft are happy for her latest move. "Microsoft had a real challenge. It had a lot of reasons to take security seriously and make a change, and to learn from past mistakes," she says. "I feel lucky to have been able to participate in that experience."
Snyder plans to apply her know-how in secure development (she literally wrote the book on it as co-author of Threat Modeling) to Mozilla's software development process. "Security has to be involved in every part of the secure development process, through design and implementation. And developers need to be trained," she says, while testers must be taught to do code review.
Each product has to be penetration-tested, code-reviewed, and audited, Snyder says. "And once it's shipped, it needs to be patched quickly" when necessary, she says. "This is going to be applied at Mozilla," although many of these steps are already in place.
Snyder says her new co-workers probably don't know that when she moved to San Francisco, she had to recycle and find homes for her collection of 50 old computers, everything from old Apollo workstations to MicroVAXes and Alpha stations. "I couldnt say 'no' to an old VAX station," she says. "But I've mostly kicked the habit now."
As for her email address: "I generally use 'ws' or 'window' to avoid any confusion," Snyder says. And she has no plans to change her first name to Firefox, either.
Kelly Jackson Higgins, Senior Editor, Dark Reading