Scrutiny of Mozilla Security Claims

Today, I started a multi-part article series ( http://www.cio.com/article/476176 ) probing Mozilla’s claims of security superiority.  My plan is to post up a new article every few days probing aspects of claims they’ve made either on the Firefox security page or in some other public forum.

As most of you know, writing secure software is a hard and takes commitment, process and ongoing focus.  And in general, I think Mozilla has shown that they take security seriously are making best efforts to build in good security quality.

With that in mind, it was perhaps a bit bold of Mozilla to make security claims from the first day they shipped Firefox.

Even giving them the benefit of the doubt that they’ve been focused on security since before the release of Firefox 1.0 back in November 2004, did they immediately do everything better than the rest of the industry?  Did they have no lessons to learn with respect to security?

When I think about the almost-seven-years that Microsoft has been actively working under the Trustworthy Computing initiative and the work done to continually improve the SDL process, I find that assumption hard to accept without some supporting proofpoints.

So, don’t think that I am claiming Microsoft or anybody else has it perfect yet either, it is definitely an industry-wide challenge and will be for some time to come.

However, if Mozilla chooses to make security a marketing theme and claim to be “the safest web browser”, then I also believe it opens those claims to efforts at fact-checking and open discussion.  Feel free to express your disagreement or support ;-)