research-article

Open access

Moving Targets: Security and Rapid-Release in Firefox

Authors:

Michael Collis,

Jonathan M. SmithAuthors Info & Claims

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 1256 - 1266

https://doi.org/10.1145/2660267.2660320

Published: 03 November 2014 Publication History

Abstract

Software engineering practices strongly affect the security of the code produced. The increasingly popular Rapid Release Cycle (RRC) development methodology and easy network software distribution have enabled rapid feature introduction. RRC's defining characteristic of frequent software revisions would seem to conflict with traditional software engineering wisdom regarding code maturity, reliability and reuse, as well as security. Our investigation of the consequences of rapid release comprises a quantitative, data-driven study of the impact of rapid-release methodology on the security of the Mozilla Firefox browser. We correlate reported vulnerabilities in multiple rapid release versions of Firefox code against those in corresponding extended release versions of the same system; using a common software base with different release cycles eliminates many causes other than RRC for the observables. Surprisingly, the resulting data show that Firefox RRC does not result in higher vulnerability rates and, further, that it is exactly the unfamiliar, newly released software (the "moving targets") that requires time to exploit. These provocative results suggest that a rethinking of the consequences of software engineering practices for security may be warranted.

References

[1]

O.H. Alhamzi and Y.K. Malaiya. Application of vulnerability discovery models to major operating systems. IEEE Transactions on Reliability, 57:14--22, 2008.

[2]

Ali Almossawi. How maintainable is the Firefox codebase?, May 2013. http://almossawi.com/firefox/prose/.

[3]

William A. Arbaugh, William L. Fithen, and John McHugh. Windows of vulnerability: A case study analysis. Computer, 33(12):52--59, 2000.

Digital Library

[4]

Baker, Mitchell. Mozilla Blog. http://blog.lizardwrangler.com/2011/08/25/rapid-release-process/.

[5]

Kent Beck, Mike Beedle, Arie van Bennekum, Alistair Cockburn, Ward Cunningham, Martin Fowler, James Grenning, Jim Highsmith, Andrew Hunt, Ron Jeffries, Jon Kern, Brian Marick, Robert C. Martin, Steve Mellor, Ken Schwaber, Jeff Sutherland, and Dave Thomas. Manifesto for Agile Software Development, 2001. http://www.agilemanifesto.org/.

[6]

Al Bessey, Ken Block, Ben Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson Engler. A few billion lines of code later: using static analysis to find bugs in the real world. Communications of the ACM, 53(2):66--75, 2010.

Digital Library

[7]

Konstantin Beznosov and Philippe Kruchten. Towards agile security assurance. In Proceedings of the 2004 Workshop on New Security Paradigms, pages 47--54. ACM, 2004.

Digital Library

[8]

B. W. Boehm. A spiral model of software development and enhancement. IEEE Computer, 20(5):43--57, May 1985.

Digital Library

[9]

Barry Boehm, Bradford Clark, Ellis Horowitz, Chris Westland, Ray Madachy, and Richard Selby. Cost models for future software life cycle processes: COCOMO 2.0. Annals of Software Engineering, 1:57--94, 1995.

[10]

Brink, DerekA. Security and the Software Development Lifecycle: Secure at the Source. download.microsoft.com/download/9/D/4/9D403333-C4F6--4770-A330--89661BE545CF/Aberdeen_ SecureSource.pdf.

[11]

Frederick P. Brooks. The Mythical Man-Month: Essays on Software Engineering, 20th Anniversary Edition. Addison-Wesley Professional, August 1995.

Digital Library

[12]

Frederick P. Brooks. The Mythical Man-Month: Essays on Software Engineering, 20th Anniversary Edition. Addison-Wesley Professional, August 1995. http://www.amazon.ca/exec/obidos/redirect?tag=citeulike09--20&path=ASIN/0201835959.

Digital Library

[13]

Sandy Clark, Stefan Frei, Matt Blaze, and Jonathan Smith. Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC'10, pages 251--260, New York, NY, USA, 2010. ACM.

Digital Library

[14]

Peter Coad, Eric LeFebrve, and Jeff De Luca. Feature-driven development. Java Modeling in Color with UML, pages 182--203, 1999.

[15]

Michael Coates. Security Evolution - Bug Bounty Programs for Web Applications, September 2011. http://www.slideshare.net/michael_coates/bug-bounty-programs-for-the-web.

[16]

Kieran Conboy. Toward a conceptual framework of agile methods: a study of agility in different disciplines. In Extreme Programming And Agile Methods - XP/ Agile Universe 2004, Proceedings, pages 37--44. ACM Press, 2004.

Digital Library

[17]

Forrester Consulting. State of Application Security: Immature Practices Fuel Inefficiencies, but Positive ROI Is Attainable - A Forrester Consulting Thought Leadership Paper Commissioned by Microsoft. 2011. http://www.microsoft.com/en-us/download/details.aspx?id=2629.

[18]

Microsoft Corporation. Microsoft Security Development Lifecycle for Agile. 2009. http://www.microsoft.com/security/sdl/discover/sdlagile-onetime.aspx.

[19]

Microsoft Corporation. http://www.microsoft.com/en-us/news/speeches/2013/06--26build2013.aspx, 2013.

[20]

Common Criteria. Common Criteria for Information Technology Security Evaluation. Technical report, September 2012.

[21]

Michael A. Cusumano and Richard W. Selby. How Microsoft builds software. Communications of the ACM, 40:53--61, June 1997.

Digital Library

[22]

CVE. Common vulnerabilities and exposures. http://cve.mitre.org, 2008.

[23]

M. Finifter, D. Akhawe, and D. Wagner. An Empirical Study of Vulnerability Reward Programs. In 22nd USENIX Security Symposium, 2013.

Digital Library

[24]

Mozilla Foundation. Mozilla firefox esr overview, 2014. https://www.mozilla.org/en-US/firefox/ organizations/faq/.

[25]

Rajeev Gopalakrishna and Eugene H. Spafford. A trend analysis of vulnerabilities. CERIAS Tech Report 2005-05, May 2005.

[26]

Duncan Harris. Oracle Software Security Assurance. Technical report, 2014. http://www.oracle.com/us/ support/assurance/overview/index.html.

[27]

Jim Highsmith. Adaptive software development: a collaborative approach to managing complex systems. Addison-Wesley, 2013.

[28]

Michael Howard and Steve Lipner. The Security Development Lifecycle. Microsoft Press, May 2006.

Digital Library

[29]

Pankaj Jalote, Brendan Murphy, and Vibhu Saujanya Sharma. Post-release reliability growth in software products. ACM Trans. Softw. Eng. Methodol., 17(4):1--20, 2008.

Digital Library

[30]

George Jelen. Sse-cmm security metrics. In NIST and CSSPAB Workshop, 2000.

[31]

E. Jonsson and T. Olovsson. A quantitative model of the security intrusion process based on attacker behavior. IEEE Transactions on Software Engineering, 23(4):235--245, Apr 1997.

Digital Library

[32]

Hossein Keramati and S-H Mirian-Hosseinabadi. Integrating software development security activities with agile methodologies. In Computer Systems and Applications, 2008. AICCSA 2008. IEEE/ACS International Conference on, pages 749--754. IEEE, 2008.

Digital Library

[33]

Foutse Khomh, Tejinder Dhaliwal, Ying Zou, and Bram Adams. Do Faster Releases Improve Software Quality? An Empirical Case Study of Mozilla Firefox. In Mining Software Repositories, 2012 9th Working Conference, Kingston, Ontario, Canada, June 2012.

Digital Library

[34]

Anthony Laforge. Release Early, Release Often, July 2010. http://blog.chromium.org/2010/07/ release-early-release-often.html.

[35]

Gary McGraw. Software Security Touchpoint: Architectural Risk Analysis. Technical report, 2010. http://www.cigital.com/presentations/ARA10.pdf.

[36]

Gary McGraw and Brian Chess. The building security in maturity model(bsimm). In Proceedings of the 18th USENIX Security Symposium (USENIX Security '09), Montreal, Canada, August 2009.

[37]

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, and Kishore Gopalan. Security Guidelines for .NET Framework Version 2.0. Technical report, October 2005. http://msdn. microsoft.com/en-us/library/aa480477.aspx.

[38]

Mozilla. Bugzilla@Mozilla. https://bugzilla.mozilla.org/, September 2013.

[39]

Mozilla. Mozilla Foundation Security Advisories. https://www.mozilla.org/security/announce/, September 2013.

[40]

John D. Musa. A theory of software reliability and its application. IEEE Transactions on Security Engineering, SE-1:312--327, September 1975.

Digital Library

[41]

John D. Musa, Anthony Iannino, and Kasuhira Okumoto. Software Reliability: Measurement, Prediction, Application. McGraw-Hill, 1987.

Digital Library

[42]

Johnathan Nightingale. Mozilla blog post future releases, 2011. https://blog.mozilla.org/ futurereleases/2011/07/19/every-six-weeks/.

[43]

NIST. National Vulnerability Database. http://nvd.nist.gov, 2008.

[44]

Department of Homeland Security. SECURITY IN THE SOFTWARE LIFECYCLE: Making Software Development Processes{ and Software Produced by Them{ More Secure. 2006. http://resources.sei.cmu.edu/asset_files/ WhitePaper/2006_019_001_52113.pdf.

[45]

Andy Ozment. Improving vulnerability discovery models. In QoP '07: Proceedings of the 2007 ACM Workshop on Quality of Protection, pages 6--11, New York, NY, USA, 2007. ACM.

Digital Library

[46]

Andy Ozment and Stuart E. Schechter. Milk or wine: does software security improve with age? In USENIX-SS'06: Proceedings of the 15th USENIX Security Symposium, Berkeley, CA, USA, 2006. USENIX Association.

Digital Library

[47]

Robert C. Seacord. Secure Coding in C and C++. Addison-Wesley Professional, June 2008.

Digital Library

[48]

Mikko Siponen, Richard Baskerville, and Tapio Kuivalainen. Integrating security into agile development methods. In System Sciences, 2005. HICSS'05. Proceedings of the 38th Annual Hawaii International Conference on, pages 185a--185a. IEEE, 2005.

Digital Library

[49]

Gregory Tassey. The economic impacts of inadequate infrastructure for software testing. 2002.

[50]

John Viega. Building Security Requirements with CLASP. In Proc. ACM SESS, pages 1--7, 2005.

Digital Library

[51]

Jaana Wäyrynen, Marine Boden, and Gustav Bostrom. Security engineering and extreme programming: An impossible marriage? In Extreme programming and agile methods-XP/Agile Universe 2004, pages 117--128. Springer, 2004.

[52]

Carol Woody. Agile security review of current research and pilot usages. SEI Library White Paper, 2013. http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=70232.

Cited By

Mujahid SCosta DCastelluccio MSpinellis DConstantinou EBacchelli A(2024)Predicting the Impact of Crashes Across Release ChannelsProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3645067(138-139)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3645067
Atefi SSivagnanam AAyman AGrossklags JLaszka A(2023)The Benefits of Vulnerability Discovery and Bug Bounty Programs: Case Studies of Chromium and FirefoxProceedings of the ACM Web Conference 202310.1145/3543507.3583352(2209-2219)Online publication date: 30-Apr-2023
https://dl.acm.org/doi/10.1145/3543507.3583352
Tizio GArmellini MMassacci F(2023)Software Updates Strategies: A Quantitative Evaluation Against Advanced Persistent ThreatsIEEE Transactions on Software Engineering10.1109/TSE.2022.317667449:3(1359-1373)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TSE.2022.3176674
Show More Cited By

Index Terms

Moving Targets: Security and Rapid-Release in Firefox
1. Computing methodologies
  1. Modeling and simulation
    1. Model development and analysis
      1. Modeling methodologies
2. Software and its engineering

Recommendations

Using an object-oriented software life-cycle model in the software engineering course

An object-oriented software life-cycle model, the Modified Spiral Model, was successfully used as the software process in the software engineering course in the Department of Computer Science, California State University, San Bernardino. The model lends ...
Using an object-oriented software life-cycle model in the software engineering course
SIGCSE '98: Proceedings of the twenty-ninth SIGCSE technical symposium on Computer science education

An object-oriented software life-cycle model, the Modified Spiral Model, was successfully used as the software process in the software engineering course in the Department of Computer Science, California State University, San Bernardino. The model lends ...
Teaching software engineering in the adult education environment
SIGCSE '81: Proceedings of the twelfth SIGCSE technical symposium on Computer science education

Teaching the evolving subject of software engineering has only recently been explored in the literature within the last five years. In a university-level, evening school environment, problems in the area of software engineering education arise due to 1) ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

November 2014

1592 pages

ISBN:9781450329576

DOI:10.1145/2660267

General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA

Copyright © 2014 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2014

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS'14

Sponsor:

SIGSAC

CCS'14: 2014 ACM SIGSAC Conference on Computer and Communications Security

November 3 - 7, 2014

Arizona, Scottsdale, USA

Acceptance Rates

CCS '14 Paper Acceptance Rate 114 of 585 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
942
Total Downloads

Downloads (Last 12 months)177
Downloads (Last 6 weeks)21

Reflects downloads up to 18 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Mujahid SCosta DCastelluccio MSpinellis DConstantinou EBacchelli A(2024)Predicting the Impact of Crashes Across Release ChannelsProceedings of the 21st International Conference on Mining Software Repositories10.1145/3643991.3645067(138-139)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643991.3645067
Atefi SSivagnanam AAyman AGrossklags JLaszka A(2023)The Benefits of Vulnerability Discovery and Bug Bounty Programs: Case Studies of Chromium and FirefoxProceedings of the ACM Web Conference 202310.1145/3543507.3583352(2209-2219)Online publication date: 30-Apr-2023
https://dl.acm.org/doi/10.1145/3543507.3583352
Tizio GArmellini MMassacci F(2023)Software Updates Strategies: A Quantitative Evaluation Against Advanced Persistent ThreatsIEEE Transactions on Software Engineering10.1109/TSE.2022.317667449:3(1359-1373)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TSE.2022.3176674
Shi JZou DXu SDeng XJin H(2023)Does OpenBSD and Firefox’s Security Improve With Time?IEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.315332520:4(2781-2793)Online publication date: 1-Jul-2023
https://doi.org/10.1109/TDSC.2022.3153325
Pinto FMurta L(2023)On the assignment of commits to releasesEmpirical Software Engineering10.1007/s10664-022-10263-x28:2Online publication date: 16-Jan-2023
https://doi.org/10.1007/s10664-022-10263-x
Theurich PWitt JRichter S(2023)Practices and challenges of threat modelling in agile environmentsInformatik Spektrum10.1007/s00287-023-01549-546:4(220-229)Online publication date: 27-Sep-2023
https://doi.org/10.1007/s00287-023-01549-5
Prakash VXie SHuang DTorres-Arias SMelara MSimon L(2022)Inferring Software Update Practices on Smart Home IoT Devices Through User Agent AnalysisProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3560835.3564551(93-103)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560835.3564551
do Rego Pinto FCosta BMurta L(2021)Assessing time-based and range-based strategies for commit assignment to releases2021 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER50967.2021.00022(142-153)Online publication date: Mar-2021
https://doi.org/10.1109/SANER50967.2021.00022
Kula ERastogi AHuijgens HDeursen AGousios GDumas MPfahl DApel SRusso A(2019)Releasing fast and slow: an exploratory case study at INGProceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3338906.3338978(785-795)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.1145/3338906.3338978
Ben Othmane LJamil AAbdelkhalek M(2019)Identification of the Impacts of Code Changes on the Security of Software2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC)10.1109/COMPSAC.2019.10268(569-574)Online publication date: Jul-2019
https://doi.org/10.1109/COMPSAC.2019.10268
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten