Security Experts:

BlackBerry, Mozilla in Bug Hunting Partnership

BlackBerry and Mozilla have armed themselves with new bug-hunting tools as part of an effort to collaborate on securing the web.

The smartphone maker and open-source software group used the spotlight of the Black Hat 2013 security conference to showcase Peach, an open-source fuzz testing framework.

Fuzz testers, or fuzzers, are used during by security researchers to pinpoint software vulnerabilities by sending random input to an application. If the program contains a vulnerability that leads to an exception, crash or server error, researchers can parse the results of the test to pinpoint the cause of the crash.

BlackBerry and Mozilla LogosAccording to Mozilla Director of Security Assurance Michael Coates, the two companies will advance the Peach fuzzing software with a specific focus on web browsers. Mozilla and BlackBerry will also share data on fuzzing techniques and approaches to jointly raise the security protections provided to end users.

Coates said Mozilla is already using Peach to perform fuzz tests against HTML5 features such as image formats, audio/video formats, fonts, multimedia APIs like WebGL and WebAudio and protocols used in WebRTC.

"We've proactively identified issues that can be fixed before there was any risk to our users. This testing has proved to be very effective and is helping secure Firefox and Firefox OS users," Coates added.

For BlackBerry, the partnership makes sense. Like Mozilla, BlackBerry uses the Gecko rendering engine and this comes with a lot of security challenges and headaches. By plugging into all the work done by Mozilla and combining that with its own internal proprietary fuzzing techniques, BlackBerry can definitely benefit from this partnership.

Separately, Mozilla announced the launch of Minion, an open source security testing platform for developers and security professionals.

*Corrected to reflect that BlackBerry uses the Gecko rendering engine, not the WebKit rendering engine as was orginally stated in the article.

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.