Is Firefox the Most Secure Web Browser?--Part 3

Microsoft's Jeff Jones discusses Mozilla's Mike Shaver's point that "You Can Only Count What The Vendor Wants You to See."

By
Wed, February 04, 2009
. What's this?

CIO — [FULL DISCLOSURE: In addition to being a 20-year Security Guy, I work for Microsoft. While I try hard to focus on objective data, go ahead and assume bias, if you wish, and challenge my analysis with your own comments—you'll be helping me fulfill my goal of ensuring all sides of security claims are thoroughly examined and rigorously debated in the public view.]

I encourage you to read Part 1 and Part 2 of this series for background and context. As I discussed in Part 1, I challenged Mozilla claims that Firefox "won't harbor nearly as many security flaws as those that have Microsoft's Internet Explor" with an Internet Explorer and Firefox Vulnerability Analysis, which resulted in rebuttal from Mozilla's Mike Shaver (please do read it, so you have his viewpoint).

My main issue with the rebuttal is that rather than address the issue of software vulnerabilities and acknowledging that Writing Secure Code is hard (for everybody in the industry), it takes the approach of changing topics to redirect the conversation away from Firefox and towards Microsoft, asserting that my analysis of security flaws is a poor measure of security. Of course, that ignores the fact that it is a really good measure of specific claims about having low numbers of vulnerabilities.

I still think the issues raised should receive a vigorous and open discussion, today I will dig into one of the two main points raised by Shaver: "You Can Only Count What The Vendor Wants You to See."

You Can Only Count What the Vendor Wants You to See

Rather, I would say you can count everything that gets disclosed in a broad and public way, by security researchers or vendors. This is at the heart of the theory of Full Disclosure and I am comfortable asserting that most vulnerabilities across the industry in open and closed source models are disclosed by someone other than the vendor or development teams. Vendors do disclose issues, but it is typically a small percentage of the overall set of vulnerabilities.

If that's true, why is this issue even raised? Probably because of the issue of so-called "silent fixes" and because this was a hotly debated concern a few months before my analysis was released. After studying the discussions quite a bit, I see this as another incarnation of the various interpretations of Full Disclosure and a continuation of the debate between differing camps:

  • (position one) Full disclosure requires that full details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit it.
  • (position two) The disclosure process and what information is disclosed should be guided by the best efforts to minimize overall risk to users. I lump the "disclose the minimum" crowd in here too.

Continue Reading

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
White Papers »
The CIO's New Guide to Design of Global IT Infrastructure
Learn how to be prepared to adapt your environment in a way that supports distributed employees, anytime anywhere collaboration and the need for business continuity during a disaster.
EMA Radar for Hosted Message Security Services: Q2 2011
Pros and Cons of a leading Hosted Message Security Service.
That Dreaded Day: AD Disasters and Solutions for Preventing them
Are you prepared for an Active Directory disaster? If you don't have a solid recovery plan and the right tools, your business will suffer. In this Quest Software white paper, learn about five dreaded Active Directory disasters, and how you can quickly recover from them - or avoid them altogether.
Defining Tier One Storage in the Modern Data Center
This report defines "tier-1" storage in the modern IT world and in the data centers and services that support it. What was a simple environment just a few years ago with mainframes or a few large servers to be supported has evolved into a complex web of virtual machines, clouds, and expanding user expectations -- factors which demand and create flexibility, but do so in a way that pushes a lack of predictability upon the storage infrastructure. Learn what your criteria should be for tier-1 storage.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
The Total Economic Impact of the HP 3PAR Storage
Forrester Consulting provides an analysis of four HP 3PAR storage customer implementations to quantify the efficiency and cost savings achieved over legacy storage platforms. On average, HP 3PAR storage customers achieved a 10.4 month payback with a 55 % ROI over a 3-year evaluation period and a significant reduction in CapEx and OpEx over that same period as a result of thin provisioning, maintenance costs avoided and labor productivity gains.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
Finding the right cloud solutions for your organization
HP is driving the evolution of what we call the Instant-On Enterprise. It is an enterprise that embeds technology into everything it does to better serve citizens, partners, employees, and clients. We believe that today's Instant-On Enterprises need to think differently about how they source and deliver services that are enabled by technology. They need to take advantage of a hybrid delivery model-one that truly optimizes the mix between traditional IT, private cloud, and public cloud.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
Webcasts »
Redefine Expectations in the Data Center
Need to do more with less? Watch this video to learn how HP ProLiant Gen8 servers can help your business deploy servers three times faster; initiate problem anaysis five times faster; increase administrator productivity three times; and experience storage performance six times faster.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
Oracle Database Appliance Best Practices
Business users increasingly demand 24x7 availability of their data while IT departments face the challenge of ensuring maximum availability while operating with limited budgets.
Best Practices to Optimize Your Data Center at Every Layer of the Stack
Date: May 31, 2012
Time: 1 PM EST

Organizations are reaping the benefits of simplifying IT, lowering costs and dramatically improving transactional throughput by deploying optimized application-to-disk solutions. These pre-tuned, tested solutions encompass a wide variety of applications and use cases. Hear from industry experts, and IT executives, how these full-stack solutions can achieve three times faster deployment times and up to 75% reductions in acquisition and operational costs.
5 Steps to Successful IT Consolidation
Learn how to reduce IT management overhead, ease revision control, guarantee data security, scale systems more quickly and reduce server and software costs.
Workload Automation Trends and Best Practices in 2012
Find out when you join EMA Senior Analyst, Torsten Volk, for a discussion on the 2012 trends in workload automation and how these trends contribute to better connecting workload automation to business processes. These trends are derived from EMA's empirical research work conducted for the 2012 Workload Automation Radar Report.
Analytics at the Speed of Thought
What if you could run financial and operational planning cycles 10 times faster? Or monitor and adjust marketing campaigns in real time? What if you could instantly visualize how a price change would impact the profitability of thousands of products?
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy
White Papers » All White Papers

The CIO's New Guide to Design of Global IT Infrastructure

EMA Radar for Hosted Message Security Services: Q2 2011

That Dreaded Day: AD Disasters and Solutions for Preventing them

Defining Tier One Storage in the Modern Data Center

The Total Economic Impact of the HP 3PAR Storage

Finding the right cloud solutions for your organization

Converged Infrastructure for Dummies

Seven Priorities for Integrated Network Management - How HP Intelligent Management Center Delivers an Enterprise-class Solution

Measuring the Business Value of CI in the Data Center

Building Cloud-Optimized Data Center Networks white paper

Riverbed Stingray Traffic Manager VA Performance on vSphere 4

Traffic Management vSphere Benchmarks on Cisco

Gartner: Magic Quadrant for Midrange and High-End Modular Disk Arrays

IDG Tech Dossier: Converged Storage ~ A Next Gen Storage Strategy for Big Data

How Much Containment Is Enough?

Make Virtual Desktops a Valuable Reality with AMD

Nemertes Research PilotHouse Awards: Server for Virtualization

Gartner Magic Quadrant for Blade Servers

Real Fabrics for a Virtual World

Picking the Right Server solution to solve your Space, Power and Cooling problems
Sponsored Links

Master the cloud with the power of convergence from HP

Connect with IT leaders redefining mobility at the Enterprise Mobile Hub

Choose New and manage one device instead of 170

Choose New for 8x the firewall and NAT performance

Check out a smart way of mobilizing your business with enterprise-ready Samsung Mobile.

Redefine your data center with HP servers.

Enhance your business with Windstream IT Solutions. Speak to someone local.

BlackBerry® Mobile Fusion. Different mobile devices. One platform.

Click to see how Accenture has delivered high performance to clients

CYBERMARYLAND | Learn Why Maryland is the Epicenter for Cybersecurity

Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class

Cognizant. Leading in Business, Application & Technology Services

Collaboration: driving better business outcomes

Gain cutting-edge insights at MIT in 2-5 day executive programs.

Complimentary Gartner Report on BYOD: Media Tablets & Beyond. View Now

Elevate storage agility and efficiency with HP 3PAR storage.

Choose New and slash the number of devices you manage

Customized information views & Twitter events at New Fulcrum Point

Splunk translates machine data into "aha" moments for IT and the business.

ManageEngine Desktop Central - Automate and Audit Your Desktop Management! Learn More...

Cloud Readiness Starts with Intel® Technology

High performance. Delivered. Click to see Accenture's client successes

Visit the Virtually There Learning Page to learn how to use virtualization to your competitive advantage.

Free: Hunter Muller's "The Transformational CIO."

Join us for an upcoming Microsoft 365 live online demo event.

Discover your easiest path to unified communications

Virtualizing Your Infrastructure Just Got Easier

Connect with global CIOs now at Enterprise CIO Forum

Resource Center
buy a link »
Ads by TechWords