Re: Require security review before FPWD -- what about privacy?

I actually think that though security review is important, many web specs are more about state than communications, and that we need evidence of privacy review as well. The idea that we can publish specs without thinking about their privacy impact is well past its sell-by date, I fear.

On Oct 31, 2014, at 0:02 , Chris Wilson <cwilso@google.com> wrote:

> I'd really like to not block on a review by WebAppSec *for* FPWD publication, though I think it would be good to have a boilerplate spec template section that *is* required for FPWD that includes questions that will at least spark thinking about the security and privacy implications.  Perhaps that could trigger WebAppSec review of that FPWD?
> 
> On Thu, Oct 30, 2014 at 3:49 PM, fantasai <fantasai.lists@inkedblade.net> wrote:
> On 10/30/2014 10:46 AM, Anne van Kesteren wrote:
> On Thu, Oct 30, 2014 at 6:32 PM, Chris Wilson <cwilso@google.com> wrote:
> In general, I'm in agreement that security should be considered early; since
> FPWD is the only place you can make sure it's "early", I might agree with
> this, but what would you consider a "security review"?  Are there specific
> people you'd want involved, signoff from someone particular, or simply a
> "security review" section in the FPWD doc?  Specific questions like "why
> don't you require TLS (if you don't)?"
> 
> Probably specific questions would work best, combined with review from
> the WebAppSec community.
> 
> +1 from me. Seems totally reasonable.
> 
> Would you require the review from WebAppSec prior to FPWD publication,
> or trigger it by FPWD publication?
> 
> ~fantasai
> 
> 

David Singer
Manager, Software Standards, Apple Inc.

Received on Friday, 31 October 2014 08:26:16 UTC