W3C home > Mailing lists > Public > public-web-security@w3.org > May 2014

Minutes of 6 May WebSec IG call

From: Wendy Seltzer <wseltzer@w3.org>
Date: Thu, 08 May 2014 13:57:37 -0400
Message-ID: <536BC591.9070708@w3.org>
To: "public-web-security@w3.org" <public-web-security@w3.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks to IG members and guests Antonio Fontes (OWASP) and Dave
Raggett (W3C SysApps) for joining the May WebSec call.

Draft Minutes are posted here, and in text below:
http://www.w3.org/2014/05/06-websec-minutes.html

including:
- - OWASP presentation (by Antonio FONTES from OWASP)
- - SysApp WG security model (by Dave RAGGETT from W3C)
- - Report from W3C Web Payment Workshop, with a special focus on
identity, security and privacy, and a little bit of STRINT
- - Status on next W3C Workshop related to secure token and secure services,
- - Action items for the IG

Best,
- --Wendy

- ----minutes----

Welcome

   Virginie: Welcome, review agenda

OWASP presentation (by Antonio FONTES from OWASP)

   Virginie: Wanted to increase interaction between OWASP and W3C
   on Web security

   Antonio: I work in info sec, specializing in web app security
   ... involved in OWASP since 2008

   <virginie> OWASP foundation website :
   [13]https://www.owasp.org/index.php/Main_Page

     [13] https://www.owasp.org/index.php/Main_Page

   Antonio: not official representative
   ... Open Web Application Security Project
   ... organized around foundation, mission to help management
   make informed decisions on web application security
   ... guidance, tools, info, frameworks, best practices,
   references
   ... to manage lifecycle of applications
   ... Documents, conferences,

   <virginie> OWASP conferences
   [14]https://www.owasp.org/index.php/Category:OWASP_AppSec_Confe
   rence

     [14] https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference

   Antonio: Chapters, more than 200 worldwide

   <virginie> OWASP chapters
   [15]https://www.owasp.org/index.php/OWASP_Chapter

     [15] https://www.owasp.org/index.php/OWASP_Chapter

   Antonio: Chapters build connection to local level

   Virginie: How can we interact, work with you on deliverables?

   Antonio: Should talk about mailing lists
   ... have more than 36k members registered on lists
   ... to share info, get feedback

   OWASP mailing lists:
   [16]https://lists.owasp.org/mailman/listinfo

     [16] https://lists.owasp.org/mailman/listinfo

   Antonio: mailing lists could be avenue for collaboration
   ... Documentation project sometimes reviews externally produced
   docs
   ... to provide guidance, suggestions
   ... Top 10 Web App Sec Security Risks
   ... Every year, collect factual data to identify risks
   ... used by orgs for reference, fast overview

   <virginie>
   [17]https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proj
   ect

     [17] https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

   Antonio: Review against this top 10, at least
   ... ASVS
   ... Aims at standardizing entire verification set

   <virginie>
   [18]https://www.owasp.org/index.php/Category:OWASP_Application_
   Security_Verification_Standard_Project

     [18]
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

   Antonio: everything you should verify in a web app that asserts
   it's secure
   ... ZAP Proxy, a tool that helps testing of web apps

   <virginie>
   [19]https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Proj
   ect

     [19] https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

   Antonio: downloadable from OWASP
   ... ESAPI, library of secure code
   ... questions?

   <antonio> the library is the ESAPI

   <antonio> Entreprise Security API

   <virginie> ESAPI (The OWASP Enterprise Security API)
   [20]https://www.owasp.org/index.php/Category:OWASP_Enterprise_S
   ecurity_API

     [20]
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

   wseltzer: We look forward to discussing closer work with OWASP,
   including possible collaboration on reviews

   Virginie: Great to hear of the number of people involved in
   OWASP activities

   fjh: Do you have info on usage of verifications
   ... @@

   antonio: we are trying get better usage information
   ... we know governments are using ASVS
   ... as standard for internal development
   ... We have seen Top 10 integrated in almost all security
   reference

   <fjh> second question was whether you are seeing anything
   related to Target breach, which has had big business impact,
   any new work based on this

   antonio: We have no large standards-level reference to ASVS

   <fjh> thanks, that all makes sense regarding asvs

   antonio: hard to get reference to 140 controls

   fjh: Did Target breach have repercussions?

   Antonio: Yes. Any breach that gets lots of media attention
   calls attention to security
   ... but we don't often get details about the vulnerability,
   whereas we did in Target.

   <fjh> yes, target will be a great use case for justification
   for need of security analysis etc

   virgine: We'll see how to collaborate in follow-up

   <fjh> thanks Antonio for excellent summary

SysApp WG security model (by Dave RAGGETT from W3C)

   <dsr> [21]http://www.w3.org/2012/sysapps/

     [21] http://www.w3.org/2012/sysapps/

   Virgine: Thanks Dave Raggett for joining to discuss SysApps

   dsr: SysApps is looking at giving web developers rich access to
   device capabilities
   ... requiring greater levels of trust than normal APIs

   <dsr> [22]http://www.w3.org/2012/09/sysapps-wg-charter.html

     [22] http://www.w3.org/2012/09/sysapps-wg-charter.html

   dsr: started with 2 phases of work, may re-charter
   ... Rich capabilities, example Sony's work on access to raw
   sockets
   ... That's not something you'd want to give to arbitrary web
   app
   ... 2 classes of apps. Packaged install, hosted app on website
   ... For both, thinking about manifest
   ... earlier w3c work on widgets not widely deployed
   ... JSON manifest started in SysApps, transferring to WebApps
   ... info about the app, e.g. full-screen
   ... App URI, allowing apps, whether hosted or packaged, to
   download resources in the same way
   ... Security and permissions
   ... open meeting re trust and permissions
   ... also rechartering

   <virginie> doodle for participating
   [23]http://doodle.com/6mequ2befp3ax592#table

     [23] http://doodle.com/6mequ2befp3ax592#table

   dsr: different approaches: Native apps, Android list
   permissions up-front
   ... iOS run-time request to user
   ... relates to EULAs
   ... How should we do this on the Web?
   ... experence from Device APIs, Geoloc
   ... privacy
   ... privacy footprint
   ... do users understand questions they're being asked?

   terri: question on manifests and security

   dsr: work on manifests in webapps
   ... some companies would like to add permissions in manifest
   ... if we want to allow devs to deal with manifests, need
   standard naming

   <christine> q

   fjh: Is it correct to say security model needs work, using th
   workshop to progress?

   dsr: Yes, runtime security model discontinued

   christine: Please come talk to PING regarding privacy
   considerations

   dsr: thanks, will do

   terri: How does sysapps interact with CSP?

   dsr: more webapps than sysapps
   ... some discussion, still ongoing
   ... woudl be able to use CSP, based on same-origin model
   ... other things to do with trust
   ... how does that affect permisioning model
   ... browsers vary on how they remember "clicked yes"
   ... based on HTTPs

   virginie: thanks, we'll loook forward to hearing about the
   workshop

Report from W3C Web Payment Workshop, with a special focus on
identity, security and privacy, and a little bit of STRINT

   Virgine: reports from workshops

   <virginie> Payment report
   [24]http://www.w3.org/2013/10/payments/final_report.html

     [24] http://www.w3.org/2013/10/payments/final_report.html

   virginie: discussion of privacy and security; several
   references to trusted user interface
   ... re payments, w3c is looking to charter new Interest Group

   <virginie> STRINT report
   [25]https://tools.ietf.org/html/draft-iab-strint-report-00

     [25] https://tools.ietf.org/html/draft-iab-strint-report-00

   <virginie> What may fall in W3C
   [26]http://lists.w3.org/Archives/Public/public-web-security/201
   4Apr/0008.html

     [26]
http://lists.w3.org/Archives/Public/public-web-security/2014Apr/0008.html

Status on next W3C Workshop related to secure token and secure
services,

   Virginie: Worshop on secure tokens and hardware authentication
   ... Sept 10-11 in Mountain View
   ... has been approved by w3c, will share info soon
   ... working with FIDO Alliance, smartcard vendors
   ... how to integrate hw security for secure authentication

Action items for the IG

   <virginie> We have a recent proposal from Wendy to take web rtc
   as a possible
   [27]http://lists.w3.org/Archives/Public/public-web-security/201
   4Apr/0006.html

     [27]
http://lists.w3.org/Archives/Public/public-web-security/2014Apr/0006.html

   Virginie: actions; e.g. Wendy's thinking on webrtc and Web
   Security model
   ... end these calls with call for volunteers, info share

   <virginie> [28]https://www.w3.org/Security/wiki/IG

     [28] https://www.w3.org/Security/wiki/IG

   Virginie: e.g. volunteers for web security guidelines

   <virginie>
   [29]https://www.w3.org/Security/wiki/IG/W3C_spec_review

     [29] https://www.w3.org/Security/wiki/IG/W3C_spec_review

   <virginie>
   [30]https://www.w3.org/Security/wiki/IG/W3C_spec_review/Securit
   y_Guidelines

     [30]
https://www.w3.org/Security/wiki/IG/W3C_spec_review/Security_Guidelines

   virginie: thanks, and keep in touch on the list

   [adjourned]

   <antonio> thank you all

   <virginie> thanks antonio, dave and all participants


- -- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTa8WMAAoJENTy3wcgk0elVFEP/3Uqh+55Qcx7QkWOAbFdhJlC
O0TqyEA6k+ZIW1aPetIb19yLMc8pErp6KTU1wBT7DRpd3b7lztZPAMwqwIP5EExb
km6rGuSEXkFLOwRRntn5BjvnfRW+vxkVo5nCmmv/EPECdbf7ePvd9cu7exDH2Vl8
sXvunjlWXfzcN5eGfHZ77Y06W2iWmK1XTv5zm3z1dRnCPZ+LpA2tJPxxl4tp5skR
GcxogJ31inwOmFbfrZPPLpmlDdq+TaOGvENRFcWls6lruc0zN+ms++GrL0yt1Fla
d+AYEF1xXkZ1iOV9bjoa8tAlw0XM9zDaT39x4ZHkHUSbHC8HrCf6pFE3LIb9FMXH
wJw/JVqdOCJIavsmuy3HcD258u0cOR1PgQ/0UmZplD/Tu+URH559Rj3wLQX+ntLj
kkbGpKhfcKR0XZMXJ+qBgeyKBYwoPKXCFSkeCO061xsKRfj8xpmP05T3VFYsiQfp
lGxV8Y/LgRN79XZIXJYLGWx3obHbkTLKtr71c3Du/VMJCbEjK944OKmAuATiLVg5
0EtdefMokpgDAIa9HE2/n9dNRfheZANxXaeKrtHKMSWMBgioVbcyBfKjBerupgM3
K3Sa2dsUXiCZ5AFwtYQlCbJD8we5XZgtLbwLJbDq2iJJj+tPqI2btvNaf+9+uCwM
uh16sC9XDMx49YofzYhe
=JE8F
-----END PGP SIGNATURE-----
Received on Thursday, 8 May 2014 17:57:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:21 UTC