It takes courage to admit your product is insecure

Kudos to Mozzila’s chief security officer, Window Snyder (yes, that’s his real name), who wrote on this blog recently that Firefox was at least partly to blame for a vulnerability that affected Microsoft’s Internet Explorer as well. I had lambasted both firms recently for turning a serious security issue into a spat among rivals, but this marks a turning point.

“We thought this was just a problem with IE. It turns out, it is a problem with Firefox as well. We should have caught this scenario when we fixed the related problem in 2.0.0.5,” he writes. “We believe that defense in depth is the best way to protect people, so we’re investigating it now.”

Along with defence in depth should be added another collary: communication in depth, where CSOs and other security professionals are as up front as possible about their flaws. That’s when we all start learning. This shows both the power of transparency and the power of blogging as a medium for transparency.