Firefox Code Base Analysis
Mozilla Firefox is an open-source web browser, that has gathered just over 11% of the internet browser market, an impressive movement for a browser that has to be physically downloaded onto a person’s computer and is not known outside of tech/geek circles. Few people install it themselves outside of these circles unless they know someone who has set up their computer and installed Firefox for them. (Side Note – I use Opera, another excellent open-source browser priopertary but free to use browser that has plenty of built in security features, one of the main reasons to switch to Firefox.)
An open-source program is a software program that is developed not by a commercial company such as Microsoft or Adobe or Apple, but rather is one that is developed, coded, and maintained by a community of users. All of these users develop the code, report on errors and work to fix the errors and constantly improve the program. Mozilla is a non-profit corporation, so it makes no profit from Firefox being used, and the majority of the developers are people outside of the company. This does several things generally to open-source programs, one is that it makes them quicker to respond to changes in the market, as the people who write the code are already at the forefront of any technology waves, they quickly make sure that the browser is compatible for all new technologies. Also it generally provides a more secure and resilient program, which seems like backwards logic – Wouldn’t a program whose source code is viewable actually be more open to attack.
In fact, in theory and in practice that the opposite is actually true. This based on a fundamental idea behind many Web 2.0 apps and the open-source movement and to some extent democracy – the wisdom of the crowds. This theory says that when you get a ton of people all looking at the same thing and all examining it the bad stuff, whatever it may be from a bad code to a bad news article in the case of Digg, is removed. Think about it, how many times have you just needed one other person to check over your work to be see what you are doing, writers do it, engineers do it, accountants do it, everybody does it. Now imagine that you have at least a dozen (on the smallest open-source projects) to several hundred (on the largest open-source projects) examining what you put into the program. All of sudden, all those careless mistakes that you make are eliminated, because not is it you and maybe one or two other people checking your work but instead tons of people are checking your work for you as you check their work. This is the inherent power of the open source movement.
However as we have found far too often no system is perfect, and Firefox is also prone to errors in it’s source code. G2zero.com examined the source code of the Firefox browser and found that there were 655 defects and 71 potential security vulnerabilities in the source code. Now that may seem like a lot to those of you who do not code programs, but for a program of this scale and magnitude that is a great number. No program will ever get rid of errors or security issues, think about even Mac OSX which routinely touts the operating system’s inherent security. Apple releases patches and security bulletins for OSX too, the same as Microsoft issues patches for Windows every 2nd Tuesday of the month, what is known as Security Tuesday.
The question here is whether or not automatic software tools that examine code and look for errors are worth deploying. There are a great many who say, yes, because it helps you to find the errors and a computer won’t skip over things that a human would ignore. Whereas another great many say, no because a computer sees things that just don’t matter a human knows the code and knows whether or not an error actually matters in the code or can just be ignored. I have to take the middle road on this, you should test and error proof the code yourself, a computer program can give you a place to start but it does not understand the whole code the same way a human does. The best thing is to do unit tests on your code and determine that the code works even when given invalid data. A security hole will always exist, an error can always be found, but does the program work reliably and efficiently is possibly the better question to ask. The general public doesn’t care how many security holes a program has, they just want it to work. This is not to say they programmers should leave their code open to attack, rather the emphasis should be on producing quality code that in the words of Apple “just works”. When quality code is produced that “just works” the security comes hand in hand.
Edit – Sept. 16, 2006 10:22 pm, Fixed a mistake in my posting regarding the nature of the Opera web browser.