SecurityEngineering/Strategy
This is the Security and Privacy Engineering team strategy
Mission: build security and user sovereignty into Firefox. Through this work, we encourage and promote these values on the open web.
We focus hard on ways to improve the privacy and security of all web users, in a Mozilla way that engages the community in our design and implementation decisions. These priorities are reflected in the projects this team manages, public evangelism and participation in relevant standards bodies to maximize adoption of new privacy & security mechanisms.
Strategic Actions
To build the impact of our team, we should focus on four top-level activities:
- Implement and Deploy software
- Consult on Architecture and Design
- Research new Ideas
- Evangelize what we Do
A clear and focused approach to expanding our team's impact in these four areas will lead to a broader connection to the community, more potential for impact, and a safer web as stated in our mission. We may not spend equal times on each of these activities, but depending on need and potential impact we may focus on one or two more than the rest.
Implement and Deploy
Communication, Research and Architecture are all necessary efforts, but in order to spread security and privacy throughout the web, we must follow through and deploy software that assuredly acts under the control of its operator. To do this we write, deploy and maintain software or modules of software across the products in Mozilla; but we also encourage others to participate in this practice. By example, and by encouraging others to think about security and privacy while writing and deploying software, we can make Mozilla software and web properties best at keeping a user in control.
Consult on Architecture and Design
We've built a core of strong security and privacy thought-leaders that can help guide the architecture of Mozilla's offerings to include security and privacy as core tenets. We must engage with other teams to help them build in these attributes as they're designing the architecture of their products. This may involve contributing a threat model or secure design to a team's project, helping in the design phase to make sure our privacy principles are held up in the new project, or by designing and standardizing new web technologies that enhance the security and privacy of the web platform.
Evangelize what we Do
Our team does lots of great stuff. It's important to tell everyone what we're doing for a variety of reasons.
First, it helps build relevance and a reputation for doing lots of great stuff within the organization; with relevance, we can once again drum up support in taking a leadership position on privacy and security. We have a good story to tell, and need to tell it. Second, it helps build Mozilla. When we excite the Mozilla community (and the world) about the work we're doing, they'll likely find ways to tie their work into our goal of making the web a safer place. We should maximize the number of people who know what Mozilla stands for and why security and privacy are core to making it *your web*. Third, it builds our team's core strength. We all feel like we're making an impact, but coming together as a team and telling the story builds excitement and drive.
Communication comes in many forms, including blogging, public talks, brown bags, paper publications, guest lectures, seminars or hackathons, outreach and networking, panel participation, policymaker education, and more. We need to reach out into all the social circles concerned with web security and privacy to obtain guidance and exhibit what we do.
Research new Ideas
Web security and privacy is a field full of huge problems. We don't fully understand them, especially when there are sociological or psychological elements involved. As such, we need to approach security and privacy from two sides: (1) understand peoples mental models and adapt our work to suit them and (2) coming up with new, innovative features and products -- that may or may not be feasible. Research is not only a process through which we can reach understanding of the world's needs, but also a way for us to engage with inventors and academic circles to bring the latest and greatest to the web.
