Security Experts:

BlackBerry, Mozilla in Bug Hunting Partnership

BlackBerry and Mozilla have armed themselves with new bug-hunting tools as part of an effort to collaborate on securing the web.

The smartphone maker and open-source software group used the spotlight of the Black Hat 2013 security conference to showcase Peach, an open-source fuzz testing framework.

Fuzz testers, or fuzzers, are used during by security researchers to pinpoint software vulnerabilities by sending random input to an application. If the program contains a vulnerability that leads to an exception, crash or server error, researchers can parse the results of the test to pinpoint the cause of the crash.

BlackBerry and Mozilla LogosAccording to Mozilla Director of Security Assurance Michael Coates, the two companies will advance the Peach fuzzing software with a specific focus on web browsers. Mozilla and BlackBerry will also share data on fuzzing techniques and approaches to jointly raise the security protections provided to end users.

Coates said Mozilla is already using Peach to perform fuzz tests against HTML5 features such as image formats, audio/video formats, fonts, multimedia APIs like WebGL and WebAudio and protocols used in WebRTC.

"We've proactively identified issues that can be fixed before there was any risk to our users. This testing has proved to be very effective and is helping secure Firefox and Firefox OS users," Coates added.

For BlackBerry, the partnership makes sense. Like Mozilla, BlackBerry uses the Gecko rendering engine and this comes with a lot of security challenges and headaches. By plugging into all the work done by Mozilla and combining that with its own internal proprietary fuzzing techniques, BlackBerry can definitely benefit from this partnership.

Separately, Mozilla announced the launch of Minion, an open source security testing platform for developers and security professionals.

*Corrected to reflect that BlackBerry uses the Gecko rendering engine, not the WebKit rendering engine as was orginally stated in the article.

view counter
Ryan is the host of the SecurityWeek podcast series "Security Conversations". He is the head of Kaspersky Lab's Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.