Security and Rapid Release in Firefox

Slide Note
Embed
Share

Explore how security and rapid release cycles impact software development in Firefox. Learn about integrating security into app development, related research on software quality, and goals for validating vulnerability impacts in Agile RRC development.

michalec_l
michalec_l Follow

Uploaded on Sep 11, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. + Moving Targets: Security and Rapid-Release in Firefox Presented by Carlos Bernal-C rdenas Presented by Carlos Bernal-C rdenas

  2. +Motivation

  3. To design, build, and deploy secure applications, [...] integrate security into your application development life cycle and adapt your current soft- ware engineering practices and methodologies to include specific security-related activities

  4. +Related Work Software Development Woody et al. surveyed Agile developers about the impact of security engineering activities on software development using Agile approaches Seacord et al. notes that the traditional model of patching-and- install is problematic Bessey et al. discuss the prevailing attitudes towards software upgrades in terms of the number of bugs generated by each release

  5. +Related Work Firefox Software Engineering Firefox has been the focus of prior research concerning software quality in its long history as open source project Khomh et al. evaluates the effect of rapid release model using different metrics as proposed in this paper Number bug after release Median daily crash count Median uptime Almossawi s work takes into account of the maintainability of Firefox since RRC version

  6. +Related Work Lifecycle Issues Foundational work on vulnerabilities lifecycles concluded that Windows of vulnerabilities exist, during which software is more likely compromised Gopalakrishna and Spafford speculated that the increased rate of discovery of vulnerabilities was the result of a learning of time However, Ozment points out, this incorrectly assumes that a fixed number of users form the total are looking for vulnerabilities Clark et al. posited the existence of a grace period enjoyed by software immediately following its release

  7. +Goals Validate whether the switch to Agile RRC development introduce large numbers of new vulnerabilities into software Identify the moment in which the code base are vulnerabilities being discovered Check if the number of vulnerabilities detected have increased since the switch to RRC

  8. + Motivation Related Work Contributions Outline Methodology Conclusion Quiz

  9. +Contributions New data set of Firefox vulnerabilities Quantitative evidence of: Low rate of increase on vulnerabilities since Firefox RRC Major vulnerabilities are not in the new code Vulnerabilities are not disclosed until RRC version gets obsolete Observation that frequent releases might provide some protection Further supporting evidence for an exploit-free grace period provided by attacker s learning curve

  10. +Methodology Assumptions With each addition of new code , a number of new software defects are also added New vulnerabilities are also introduces and will be discovered and disclosed The attackers are analyzing code bases searching for weaknesses in both old and new code

  11. +Methodology Vulnerability Taxonomy Baseline Vulnerabilities Vulnerabilities that affect the original codebase on which RRC was based Regressive Vulnerabilities Vulnerabilities discovered and disclosed in code after the version in which it was introduced has been obsoleted by a more recent version New Vulnerabilities Vulnerabilities that affects the current version of code at the time the disclosure but that do not affect previous versions

  12. +Methodology Why Firefox? Since the initial release in 2004 Firefox has been an open source project Firefox has a well maintained and frequently available bug database Frequent target of attackers Bug Bounty program Firefox has historical development in ESR and RRC approaches

  13. +Methodology Data Collection 617 Bug IDs were issued from the inception of RRC and the time of writing of this paper Extraction of the code from the mercurial repository Include file extensions such as .c, .cc, .cpp, .css, .h, Look into the Firefox s Extended Support Reseases

  14. +Methodology Limitations Unknown vulnerabilities make the date of any given vulnerability hard to obtain In this paper the authors uses the disclosure date as an approximation for the discovery date Since Firefox is a frequent attack target, Mozilla responds fast issuing inter-cycle point releases for critical vulnerabilities

  15. +RRC Versus ESR RRC ESR Rapid release advances our mission in important ways. We get features and improvements to users faster. We get new APIs and standards out to web developers faster. Maintenance of each ESR, through point releases, is limited to high- risk/high-impact security vulnerabilities and in rare cases may also include off-schedule releases that address live security vulnerabilities.

  16. +RRC Versus ESR What would we expect to see? RRC ESR Increase in the number of vulnerabilities Rapid release advances our mission in important ways. We get features and improvements to users faster. We get new APIs and standards out to web developers faster. Maintenance of each ESR, through point releases, is limited to high- risk/high-impact security vulnerabilities and in rare cases may also include off-schedule releases that address live security vulnerabilities. of vulnerabilities The scope of vulnerabilities should change Frequent changes should increase the rate

  17. +Research Questions Does the addition of 250k+ LOC every 42 days markedly increase the number of vulnerabilities discovered and disclosed? 1. Is the scope of disclosed vulnerabilities confined to RRC? 2. Are the RRC vulnerabilities easier to find? 3.

  18. +RQ1

  19. +RQ1

  20. +RQ2

  21. +RQ3

  22. +Conclusions Vulnerabilities are disclosed on the older code at least as often as they are in the newer code Firefox rapid-release cycles expose the software to a shorter window of vulnerability The authors study suggested that familiarity with a codebase is a useful heuristic for determining how quickly vulnerabilities will be discovered

  23. +Quiz What are the 4 reasons the authors choose Firefox as subject in their study? What is the main focus of Agile approaches compare to models intended to produce secure systems? Why rapid-release cycles expose Firefox to a shorter window of vulnerabilities?

  24. + Questions

Related


Rapid Point of Care Training Program - Performing the INSTI HIV Rapid Test

Rapid Point of Care Training Program - Performing the INSTI HIV Rapid Test

kgab
HIV Rapid Test Procedures and Instructions

HIV Rapid Test Procedures and Instructions

uier101
Rapid Identification System for Inmate Release

Rapid Identification System for Inmate Release

tallulah
Study on the Relationship Between Release Distance and Bounce Distance of Golf Ball

Study on the Relationship Between Release Distance and Bounce Distance of Golf Ball

zey_ken
Difference Between Massive Transfusion Protocol (MTP) and Emergency Release of Blood Products

Difference Between Massive Transfusion Protocol (MTP) and Emergency Release of Blood Products

gaetano
Rapid Start Learning Collaborative for Infectious Disease Bureau, Boston Public Health Commission

Rapid Start Learning Collaborative for Infectious Disease Bureau, Boston Public Health Commission

leee426
Polymeric Controlled Drug Delivery Systems

Polymeric Controlled Drug Delivery Systems

mario
Proposed Amendments for Hazardous Material Release Reporting Regulations

Proposed Amendments for Hazardous Material Release Reporting Regulations

nira
Understanding the Role of Security Champions in Organizations

Understanding the Role of Security Champions in Organizations

irvin
Understanding the Roles of a Security Partner

Understanding the Roles of a Security Partner

zaara
OpenStack Liberty Release Overview

OpenStack Liberty Release Overview

lea_vyn
IEEE 802.11-19/1215r0 WLAN Integration in 5G System Release 17 Overview

IEEE 802.11-19/1215r0 WLAN Integration in 5G System Release 17 Overview

sera
Rapid NHS Response Teams: Enhancing Home Care and Avoiding Hospital Admissions

Rapid NHS Response Teams: Enhancing Home Care and Avoiding Hospital Admissions

sean
Efficient Public Transportation Planning for Mass Mobility

Efficient Public Transportation Planning for Mass Mobility

lle_cad
RAPID Meeting Insights and Schedule Updates

RAPID Meeting Insights and Schedule Updates

tiberi_e
Prostate Rapid Diagnostic Service Transformation Overview

Prostate Rapid Diagnostic Service Transformation Overview

lockie
Access Hyperion Cloud for Budget Management

Access Hyperion Cloud for Budget Management

kit
Software Engineering and Architecture

Software Engineering and Architecture

masha
Troubleshooting Invalid Login Credential Issue on e-Way Bill Portal

Troubleshooting Invalid Login Credential Issue on e-Way Bill Portal

rain
O-RAN Software Community June 2020 Updates

O-RAN Software Community June 2020 Updates

denver
Statewide Release of CAASPP and ELPAC Results Overview

Statewide Release of CAASPP and ELPAC Results Overview

adelynn
Overview of O-RAN SC Bronze Release Objectives and Timelines

Overview of O-RAN SC Bronze Release Objectives and Timelines

drake
Insights into COUNTER Release 5 Usage Reports and Metric Types

Insights into COUNTER Release 5 Usage Reports and Metric Types

calanthe
California CalAIM Justice-Involved Initiative Overview

California CalAIM Justice-Involved Initiative Overview

princess

More Related Content

Way Forward on Release Independence for 35 and 45 MHz in Mobile Networks
Way Forward on Release Independence for 35 and 45 MHz in Mobile Networks
Update on MA Center for Health Information & Analysis Case Mix User Workgroup - September 27, 2016
Update on MA Center for Health Information & Analysis Case Mix User Workgroup - September 27, 2016
Evolution of COUNTER Release 5: Enhancing Accessibility and Compliance
Evolution of COUNTER Release 5: Enhancing Accessibility and Compliance
libgpiod v2: new major release with a ton of new features
libgpiod v2: new major release with a ton of new features
Understanding Press Releases and Tips for Writing Them
Understanding Press Releases and Tips for Writing Them
Rocket Engine Ignition Process Explained
Rocket Engine Ignition Process Explained
International Approaches to Enhance Nuclear Safety and Security
International Approaches to Enhance Nuclear Safety and Security
Understanding Cyber Security and Risks
Understanding Cyber Security and Risks
Overview of Social Security and Health Care System in Turkey
Overview of Social Security and Health Care System in Turkey
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication
Understanding Provable Security Models in Cryptography
Understanding Provable Security Models in Cryptography
Comprehensive Guide to Designing Physical Security and Security Planning by Susan Lincke
Comprehensive Guide to Designing Physical Security and Security Planning by Susan Lincke
Certification and Training in Information Security
Certification and Training in Information Security
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update
Enhancing SWIFT Security Measures for ReBIT: March 2018 Update
Evolving Security Practices in DevOps: A Holistic Approach
Evolving Security Practices in DevOps: A Holistic Approach
Understanding Computer Security Principles and Practices
Understanding Computer Security Principles and Practices
Understanding Security Threats and Countermeasures
Understanding Security Threats and Countermeasures
BCA 601(N): Computer Network Security
BCA 601(N): Computer Network Security
Enhancing Security Definitions for Functional Encryption
Enhancing Security Definitions for Functional Encryption
TSA Updates on Security Training Rule for OTRB Companies
TSA Updates on Security Training Rule for OTRB Companies
AEP Enterprise Security Program Overview - June 2021 Update
AEP Enterprise Security Program Overview - June 2021 Update
Understanding Transport Layer Security (TLS)
Understanding Transport Layer Security (TLS)
Understanding Security Onion: Network Security Monitoring Tools
Understanding Security Onion: Network Security Monitoring Tools
Understanding the Rapid Rehousing Program in Kern County
Understanding the Rapid Rehousing Program in Kern County