Firefox code under the microscope



So, the stories are out of the analysis of the code for Mozilla Firefox. It seems there were a large number of potential flaws found (71 potential security vulnerabilities) according to the article. This was done using an automated tool and many say, that in order to evaluate the true severity of the flaws, you have to be familiar with the code. Some, I’m sure will pounce on this with the “I thought open source software was supposed to be more secure…. I’m going back…” but it’s time to stop and think about things a moment. Open Source software…. anyone can access the source, anyone can analyze it for problems, anyone can run an automated tool to test it…..


Everything about the open source development process is out in the open. Microsoft is opening up a bit (I filed my first bug report for a Microsoft product in the last couple weeks.) But, they don’t allow the code for anyone to analyze. It’s a different approach to security (if we keep it secret no one will find it, vs…. open source which is – let’s tell everything so we can get the most bullet-proof code possible.)

So which approach is better? It’s hard to say definitively unless you’ve USED both approaches, but the thing I really like about the open development model IS THE FACT that EVERYONE has the opportunity to see what goes in the mix, which makes these third party analysis of code possible. Let’s speculate for the moment. IF mozilla-firefox were closed source. 1) We wouldn’t know about this analysis because it could never have happened, and many of the security issues that have been reported and fixed, might not have turned up yet because the code wasn’t there to look at.

The results of the analysis mentioned have been turned over to the developers and they will be reviewing and deciding which of the issues really pose a threat and how to prioritize fixing them.

It’s not a pretty process, and making it open could make for bad PR, that’s one reason some companies would never DREAM of making their code open.

Bottom line, it’s a GOOD thing that it’s been analyzed like this and that flaws have been found and reported to the developers, it can only make for a BETTER browser.

   Send article as PDF   

Similar Posts