Using JSON for Private Data

February 10th, 2012 by mgoodwin

Sometimes we’re asked for guidance on something and the result seems worth sharing; this one is about useful things to consider when using JSON for information that needs to stay secret. If you’re using JSON for private data; make sure you’ve fixed the CSRF side of things and everything will be OK. If you want […]

Mozilla CTF 2012 – Aftermath

January 31st, 2012 by Frederik Braun

On January 25th, with the help of many volunteers, we hosted the first Mozilla Capture The Flag (CTF). The Mozilla CTF will be a recurring security event, although we are not yet prepared to announce when the next iteration will be.  CTF participants competed against each other trying to research flaws, exploit vulnerabilities or find […]

Automating Test Cases

October 26th, 2011 by yboily

Earlier this year I wrote about some of the challenges of scaling security efforts in an organization, and I mentioned that we are working to adopt better tooling to assist us in this.  We have been working towards improving security in the development lifecycle by making security tests a part of the quality assurance process. […]

Mozilla Bug Bounty Update

October 4th, 2011 by mcoates

We’re nearly three quarters the way through 2011 and we wanted to provide an update on the progress of the Mozilla bug bounty programs.  The goal of the Mozilla bounty programs is to encourage security research in Mozilla software, reward the individuals that are participating in this research, and continue pursuing the safest browsing and […]

Mozilla at OWASP AppSecUSA

September 19th, 2011 by mcoates

Mozilla will be sending several security folks to this year’s OWASP AppSecUSA conference held in Minneapolis, MN on Thursday and Friday (Sept 22, 23).  Stop by and find one of us to get one of our “Securing Mozilla” stickers. We’ll be hosting the following events: Security Evolution – Bug Bounty Programs for Web Applications Open […]

Mozilla Discusses New Browser & Web Security Features at European Security Conference

July 13th, 2011 by mcoates

Michael Coates from Mozilla’s Infrastructure Security team presented on top web security threats and how new security controls in Firefox can be leveraged to increase the security of a website and further protect users against malicious attacks. Attackers are continuing to exploit issues that are challenging for web application owners to address throughout their applications.  […]

sha-512 follow-up and thank you

June 1st, 2011 by Chris Lyon

I made a statement in my previous post, SHA-512 w/ per Users Salts about a “significant hit rate” when it comes to dictionary attacking hashes. This significant hit rate is what we are scared of because we feel that not many people really know the ease of dictionary attacking the hashes, even if you have […]

SHA-512 w/ per User Salts is Not Enough

May 10th, 2011 by Chris Lyon

Back in January, I was having a causal conversation about passwords at a local gathering about security and was asked what we use for storing the passwords. I stated that we are using sha-512 w/ per user salts but we are looking at moving away from this standard to something much stronger. The response that […]

Mozilla Brings Web Application Security To University Students

April 25th, 2011 by mcoates

Over the weekend Mozilla led an open source boot camp at Stanford University with a great lineup of courses including a hands-on web security lab where students performed actual exploits against a vulnerable web application. The goal of the web security workshop was to educate students about top security threats facing today’s web applications. By […]

Enabling Browser Security in Web Applications

March 31st, 2011 by mcoates

HTTPOnly, Secure Flag, Strict Transport Security, X-Frame-Options, Content Security Policy The vast majority of application security occurs within the application’s code. However, there are a few key security controls that are enabled by the web application dictating security properties to the web browser. These security properties enable the browser to impose additional security controls on […]

Next Page »