Mozilla, the nonprofit organization behind the popular Firefox browser and other open source projects, today announced the launch of Minion, a new automated security testing platform. The platform is intended to be flexible and easy to use, deploy and extend so that developers can be integrated into virtually any development workflow. Mozilla also announced a partnership with BlackBerry to enable the open source Peach fuzzing framework for testing browsers.
Minion
The Minion project, Mozilla says, started about a year ago and is still very much under active development. Today’s announcement of version 0.3 marks the tool’s first major public outing, though the company has previously talked about it and development of the tool happened in public.
The idea behind Minion is to enable developers to log in to the tool and immediately start scans against their web applications. Currently, the tool features three working extensions (a port scanner, web fuzzer and a penetration testing tool), but the team is working to extend the number of plug-ins, and developers, of course, can also write their own.
It’s worth noting that the Mozilla team is explicitly positioning Minion as a platform and not a security tool. All of the testing features are implemented as plug-ins and Mozilla itself wants to focus on “providing strong abstractions and a reliable, extensible platform without binding the platform to a specific suite of tools.”
Fuzzing With BlackBerry
Mozilla’s collaboration with BlackBerry on the Peach open-source fuzzing framework is pretty straightforward. The idea here is to work together “to advance the Peach fuzzing software for testing Web browsers.” The fuzzing framework throws invalid (and often random) data at a program (in this case, the browser) and looks for crashes that could indicate security issues and memory leaks.
Mozilla says it has already used Peach to perform fuzz tests against some HTML5 features in its browsers and that BlackBerry’s experience in using fuzzers to test its platforms will allow it to plug “directly into BlackBerry’s existing security processes and infrastructure.”
