Articles in “General”

Using JSON for Private Data

Sometimes we’re asked for guidance on something and the result seems worth sharing; this one is about useful things to consider when using JSON for information that needs to stay … Read more

Mozilla CTF 2012 – Aftermath

On January 25th, with the help of many volunteers, we hosted the first Mozilla Capture The Flag (CTF). The Mozilla CTF will be a recurring security event, although we are … Read more

Automating Test Cases

Earlier this year I wrote about some of the challenges of scaling security efforts in an organization, and I mentioned that we are working to adopt better tooling to assist … Read more

Mozilla Bug Bounty Update

We’re nearly three quarters the way through 2011 and we wanted to provide an update on the progress of the Mozilla bug bounty programs.  The goal of the Mozilla bounty … Read more

Mozilla at OWASP AppSecUSA

Mozilla will be sending several security folks to this year’s OWASP AppSecUSA conference held in Minneapolis, MN on Thursday and Friday (Sept 22, 23).  Stop by and find one of … Read more

sha-512 follow-up and thank you

I made a statement in my previous post, SHA-512 w/ per Users Salts about a “significant hit rate” when it comes to dictionary attacking hashes. This significant hit rate is … Read more

SHA-512 w/ per User Salts is Not Enough

Back in January, I was having a causal conversation about passwords at a local gathering about security and was asked what we use for storing the passwords. I stated that … Read more

Enabling Browser Security in Web Applications

HTTPOnly, Secure Flag, Strict Transport Security, X-Frame-Options, Content Security Policy The vast majority of application security occurs within the application’s code. However, there are a few key security controls that … Read more

Scaling Security

The AppSec space is an extremely challenging field to work in, largely due to asymmetry; when you play defence you have to work to stay on top of each emerging … Read more

Attack Aware Applications

We are working hard to advance the security of Mozilla web applications.  This includes efforts such as threat modelling, security training, security throughout development, code review, testing, the bounty program, … Read more