Open Source Approaches to Security for Applications and Services - Mozilla Case Study

Explore open source approaches to application and service security in this conference talk from AppSecEU 2016 in Rome. Delve into Mozilla's open source threat model, bug bounty program, and web services security strategies. Learn about the economics of zero-day bugs, internal communication processes, and web bug intake methods. Examine the challenges of measuring security, including the limitations of quantitative assessments and the epistemological problems associated with security verification. Gain insights into qualitative assessments, maturity models, and the complexities of determining which security approaches are most effective. Discover Mozilla's road map for improving security and the role of red team exercises in enhancing overall security posture.

Intro
Agenda
What is Mozilla
Open Source Threat Model
Remediation
Web Services
Threat Model
Bug Bounty
Economics of Zero Day Bugs
Active programs
Open source
Open source vs proprietary
Mozillas open source projects
Bug bounty program
Internal communication
Web bug intake
Mozilla Firefox
Chris Hoffman
Statistics
Bounty Hunters
Measuring Security
Too Many Variables
Which is Safer
What do we learn
What can we actually measure
What security is
How much can we know
Garbage in garbage out
Qualitative assessments
epistemological problem
security verification
hard to measure
maturity model
selfdelusion
Road Map
Red Team
Summary