Re: Require security review before FPWD

Dear all,
Note that web security IG is trying to define a security review process. Unfortunately we did not have enough involvment to bêta test it on specification.
Feel free to amend...
http://www.w3.org/Security/wiki/IG/W3C_spec_review
Virginie Galindo
Web Security IG co-chair


---- Anne van Kesteren a écrit ----


On Thu, Oct 30, 2014 at 6:32 PM, Chris Wilson <cwilso@google.com> wrote:
> In general, I'm in agreement that security should be considered early; since
> FPWD is the only place you can make sure it's "early", I might agree with
> this, but what would you consider a "security review"?  Are there specific
> people you'd want involved, signoff from someone particular, or simply a
> "security review" section in the FPWD doc?  Specific questions like "why
> don't you require TLS (if you don't)?"

Probably specific questions would work best, combined with review from
the WebAppSec community.


--
https://annevankesteren.nl/

________________________________
 This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

Received on Thursday, 30 October 2014 19:20:29 UTC