Security for Mozilla and Blackberry is set to get boost thanks to a little Peach Fuzzing.
Peach is an open source Fuzzer project that is now set to benefit from the joint efforts of Mozilla and Blackberry. Fuzzing is a well known security technique in which fault code is injected into a program to see what happens.
“At CanSecWest, one of the many conferences BlackBerry sponsors, we had an opportunity for our researchers and Mozilla researchers to meet and discuss security automation tools,” Adrian Stone, Director of Response for BlackBerry, told Datamation. “During that discussion, we determined both companies are working on similar security research projects, and we identified an opportunity to protect our mutual customers and help bolster industry security overall.”
What is particularly interesting about the Blackberry Mozilla collaboration is the fact that both use different technologies for their respective web browsers. Mozilla has its own Gecko engine that powers Firefox, while Blackberry leverages the open source WebKit engine that is also used by Apple’s Safari.
Stone noted that Peach can be used to identify vulnerabilities across multiple platforms and the benefits are not just browser-specific. It’s a sentiment that is echoed by Michael Coates, Director of Security Assurance at Mozilla.
“For browsers to be compatible, they must handle the same formats and protocols and consume them in the same ways, via files or the Internet,” Coates told Datamation. “Browsers may have completely different bugs, but they can be tested using the same methodologies and tools.”
Coates stressed that Mozilla and Blackberry can work together to create effective test tools that will improve both browser engines.
Fuzzing
The original Peach Fuzzer project got started in 2004. Coates explained that the main author, Michael Eddington, has gone in a new direction with Peach 3.
“It was more productive for us to stick with the python-based Peach 2 which was already integrated into our python-based testing framework,” Coates said. “Groups who were similarly enmeshed with a python-based toolchain may be interested for the reasons we were. “
Mozilla is no stranger to the world of Fuzzing and has built multiple fuzzers over the years, including JSfunfuzz.
“Fuzzers are built for a variety of purposes and have different strengths,” Coates said. “JSFunFuzz is specialized to test JavaScript, there is no overlap on that one specifically. “
While Mozilla and Blackberry are now collaborating on Peach, it’s an effort that could help a much broader audience as well.
“BlackBerry and Mozilla are investing in Peach to help identify potential security issues before they can put customers at risk,” Stone said. “As it’s an open source tool, we can share our results with the broader community to help protect customers industry-wide.”
Minion
Mozilla is now also advancing the state of its open source Minion security testing framework with a 0.3 release.
“The idea of Minion is to provide highly accurate results in a single, easy to use tool so developers can make their applications more secure,” Coates explained. “Just as it is easy to code for the web, we’d like to make it easier to secure those same web applications.”
As a framework, Minion integrates with other open source security tools and is extensible via a plugin architecture. Currently Minion integrates OWASP Zed Attack Proxy, Skipfish and NMAP.
“Minion is able to detect the types of application security failures that plague many applications on the web,” Coates said.
Among the failures that Minion can expose is the lack of proper SSL use via HTTP Strict Transport Security. The framework can also help to identify the use of SECURE and HTTPOnly cookie settings for flags and Cross Site Scripting (XSS) issues.
“While a developer could setup, configure and run each of these tools individually, Minion creates a single place for pre-set configuration, scheduling, coordinated results and information on remediation for the issues,” Coates said. “We believe that providing easy to use security tools in the hands of all developers will help move to a more secure web.”
Sean Michael Kerner is a senior editor at Datamation and InternetNews.com. Follow him on Twitter @TechJournalist.