Moving Targets: Security and Rapid-Release in Firefox
Venue
Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, ACM, New York, NY, pp. 1256-1266
Publication Year
2014
Authors
Sandy Clark, Michael Collis, Matt Blaze, Jonathan M. Smith
BibTeX
Abstract
Software engineering practices strongly affect the security of the code produced.
The increasingly popular Rapid Release Cycle (RRC) development methodology and easy
network software distribution have enabled rapid feature introduction. RRC's
defining characteristic of frequent software revisions would seem to conflict with
traditional software engineering wisdom regarding code maturity, reliability and
reuse, as well as security. Our investigation of the consequences of rapid release
comprises a quantitative, data-driven study of the impact of rapid-release
methodology on the security of the Mozilla Firefox browser. We correlate reported
vulnerabilities in multiple rapid release versions of Firefox code against those in
corresponding extended release versions of the same system; using a common software
base with different release cycles eliminates many causes other than RRC for the
observables. Surprisingly, the resulting data show that Firefox RRC does not result
in higher vulnerability rates and, further, that it is exactly the unfamiliar,
newly released software (the "moving targets") that requires time to exploit. These
provocative results suggest that a rethinking of the consequences of software
engineering practices for security may be warranted.
