X

BlackBerry, Mozilla fighting bugs with 'Peach'

The smartphone company and open-source software leader hope that a new open bug-hunting tool they've collaborated on will make the Web safer.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
See full bio
Seth Rosenblatt
2 min read
Promo graphic for Peach from BlackBerr7 and Mozilla. Mozilla,RIM

Nobody likes bugs in their peaches, but in computer security terms, the goal of the new "Peach" tool from BlackBerry and Mozilla is to fight back against the critters.

Peach is an open-source "fuzzing" tool, which automates tests designed to expose hidden security holes, so they can be fixed before people have been put at risk. Created by Michael Eddington of Deja Vu Security, its developers are working on its third major version since 2004. That BlackBerry and Mozilla are advocating its use to detect bugs is a big win for the tool and Eddington.

The tool represents a major effort by technology companies to get better security tools into the hands of developers.

"At a high level, what we're trying to do is test bad input into our browser that could cause something to go wrong," said Michael Coates, Mozilla's director of security assurance. "We want to keep users safer before things go wrong."

In a blog post announcing the tool, Mozilla says it has used Peach to successfully detect problems in the rapidly developing HTML5 technologies, including WebGL, WebRTC, image formats, audio and video formats, and fonts, in Firefox and Firefox OS.

For its part, BlackBerry relies on a mix of its own proprietary fuzzing tools and third-party ones to test how secure its products are. "[Peach] spans across multiple technologies," said Adrian Stone, who leads BlackBerry's security response team. "We employ fuzzing technology on a pretty wide scale at BlackBerry ... not just for our mobile phones, but also the BlackBerry enterprise server."

The collaboration could indicate part of a change in computer security culture, as large companies invest more effort in sharing security research. But it also speaks to addressing the legitimate concerns of security experts that the Web-as-platform presents potential serious security risks.

Meanwhile, Mozilla has released a second open-source security tool for developers and security experts, called Minion. Its goal is to narrow down the volumes of data that security logs generate to a smaller, more accurate list. Think of it as showing you one of the five cable channels you always watch, instead of turning on the TV to one of 500 channels at random.

"Security tools now require a security professional to use them, and that's not a tenable future for the Web," said Coates. Minion, he said, is "trying to give [the tool's] users the right information."

He emphasized that Mozilla's goal is to put "usable security into the users hands," he said, meaning developers. Laudable, to be sure, and necessary. So far, though, security has proven an elusive aim on the Web.

Updated at 12:30 p.m. PT to clarify that BlackBerry and Mozilla did not create Peach.