- From: Wendy Seltzer <wseltzer@w3.org>
- Date: Thu, 08 May 2014 13:57:37 -0400
- To: "public-web-security@w3.org" <public-web-security@w3.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks to IG members and guests Antonio Fontes (OWASP) and Dave
Raggett (W3C SysApps) for joining the May WebSec call.
Draft Minutes are posted here, and in text below:
http://www.w3.org/2014/05/06-websec-minutes.html
including:
- - OWASP presentation (by Antonio FONTES from OWASP)
- - SysApp WG security model (by Dave RAGGETT from W3C)
- - Report from W3C Web Payment Workshop, with a special focus on
identity, security and privacy, and a little bit of STRINT
- - Status on next W3C Workshop related to secure token and secure services,
- - Action items for the IG
Best,
- --Wendy
- ----minutes----
Welcome
Virginie: Welcome, review agenda
OWASP presentation (by Antonio FONTES from OWASP)
Virginie: Wanted to increase interaction between OWASP and W3C
on Web security
Antonio: I work in info sec, specializing in web app security
... involved in OWASP since 2008
<virginie> OWASP foundation website :
[13]https://www.owasp.org/index.php/Main_Page
[13] https://www.owasp.org/index.php/Main_Page
Antonio: not official representative
... Open Web Application Security Project
... organized around foundation, mission to help management
make informed decisions on web application security
... guidance, tools, info, frameworks, best practices,
references
... to manage lifecycle of applications
... Documents, conferences,
<virginie> OWASP conferences
[14]https://www.owasp.org/index.php/Category:OWASP_AppSec_Confe
rence
[14] https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference
Antonio: Chapters, more than 200 worldwide
<virginie> OWASP chapters
[15]https://www.owasp.org/index.php/OWASP_Chapter
[15] https://www.owasp.org/index.php/OWASP_Chapter
Antonio: Chapters build connection to local level
Virginie: How can we interact, work with you on deliverables?
Antonio: Should talk about mailing lists
... have more than 36k members registered on lists
... to share info, get feedback
OWASP mailing lists:
[16]https://lists.owasp.org/mailman/listinfo
[16] https://lists.owasp.org/mailman/listinfo
Antonio: mailing lists could be avenue for collaboration
... Documentation project sometimes reviews externally produced
docs
... to provide guidance, suggestions
... Top 10 Web App Sec Security Risks
... Every year, collect factual data to identify risks
... used by orgs for reference, fast overview
<virginie>
[17]https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proj
ect
[17] https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Antonio: Review against this top 10, at least
... ASVS
... Aims at standardizing entire verification set
<virginie>
[18]https://www.owasp.org/index.php/Category:OWASP_Application_
Security_Verification_Standard_Project
[18]
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
Antonio: everything you should verify in a web app that asserts
it's secure
... ZAP Proxy, a tool that helps testing of web apps
<virginie>
[19]https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Proj
ect
[19] https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Antonio: downloadable from OWASP
... ESAPI, library of secure code
... questions?
<antonio> the library is the ESAPI
<antonio> Entreprise Security API
<virginie> ESAPI (The OWASP Enterprise Security API)
[20]https://www.owasp.org/index.php/Category:OWASP_Enterprise_S
ecurity_API
[20]
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
wseltzer: We look forward to discussing closer work with OWASP,
including possible collaboration on reviews
Virginie: Great to hear of the number of people involved in
OWASP activities
fjh: Do you have info on usage of verifications
... @@
antonio: we are trying get better usage information
... we know governments are using ASVS
... as standard for internal development
... We have seen Top 10 integrated in almost all security
reference
<fjh> second question was whether you are seeing anything
related to Target breach, which has had big business impact,
any new work based on this
antonio: We have no large standards-level reference to ASVS
<fjh> thanks, that all makes sense regarding asvs
antonio: hard to get reference to 140 controls
fjh: Did Target breach have repercussions?
Antonio: Yes. Any breach that gets lots of media attention
calls attention to security
... but we don't often get details about the vulnerability,
whereas we did in Target.
<fjh> yes, target will be a great use case for justification
for need of security analysis etc
virgine: We'll see how to collaborate in follow-up
<fjh> thanks Antonio for excellent summary
SysApp WG security model (by Dave RAGGETT from W3C)
<dsr> [21]http://www.w3.org/2012/sysapps/
[21] http://www.w3.org/2012/sysapps/
Virgine: Thanks Dave Raggett for joining to discuss SysApps
dsr: SysApps is looking at giving web developers rich access to
device capabilities
... requiring greater levels of trust than normal APIs
<dsr> [22]http://www.w3.org/2012/09/sysapps-wg-charter.html
[22] http://www.w3.org/2012/09/sysapps-wg-charter.html
dsr: started with 2 phases of work, may re-charter
... Rich capabilities, example Sony's work on access to raw
sockets
... That's not something you'd want to give to arbitrary web
app
... 2 classes of apps. Packaged install, hosted app on website
... For both, thinking about manifest
... earlier w3c work on widgets not widely deployed
... JSON manifest started in SysApps, transferring to WebApps
... info about the app, e.g. full-screen
... App URI, allowing apps, whether hosted or packaged, to
download resources in the same way
... Security and permissions
... open meeting re trust and permissions
... also rechartering
<virginie> doodle for participating
[23]http://doodle.com/6mequ2befp3ax592#table
[23] http://doodle.com/6mequ2befp3ax592#table
dsr: different approaches: Native apps, Android list
permissions up-front
... iOS run-time request to user
... relates to EULAs
... How should we do this on the Web?
... experence from Device APIs, Geoloc
... privacy
... privacy footprint
... do users understand questions they're being asked?
terri: question on manifests and security
dsr: work on manifests in webapps
... some companies would like to add permissions in manifest
... if we want to allow devs to deal with manifests, need
standard naming
<christine> q
fjh: Is it correct to say security model needs work, using th
workshop to progress?
dsr: Yes, runtime security model discontinued
christine: Please come talk to PING regarding privacy
considerations
dsr: thanks, will do
terri: How does sysapps interact with CSP?
dsr: more webapps than sysapps
... some discussion, still ongoing
... woudl be able to use CSP, based on same-origin model
... other things to do with trust
... how does that affect permisioning model
... browsers vary on how they remember "clicked yes"
... based on HTTPs
virginie: thanks, we'll loook forward to hearing about the
workshop
Report from W3C Web Payment Workshop, with a special focus on
identity, security and privacy, and a little bit of STRINT
Virgine: reports from workshops
<virginie> Payment report
[24]http://www.w3.org/2013/10/payments/final_report.html
[24] http://www.w3.org/2013/10/payments/final_report.html
virginie: discussion of privacy and security; several
references to trusted user interface
... re payments, w3c is looking to charter new Interest Group
<virginie> STRINT report
[25]https://tools.ietf.org/html/draft-iab-strint-report-00
[25] https://tools.ietf.org/html/draft-iab-strint-report-00
<virginie> What may fall in W3C
[26]http://lists.w3.org/Archives/Public/public-web-security/201
4Apr/0008.html
[26]
http://lists.w3.org/Archives/Public/public-web-security/2014Apr/0008.html
Status on next W3C Workshop related to secure token and secure
services,
Virginie: Worshop on secure tokens and hardware authentication
... Sept 10-11 in Mountain View
... has been approved by w3c, will share info soon
... working with FIDO Alliance, smartcard vendors
... how to integrate hw security for secure authentication
Action items for the IG
<virginie> We have a recent proposal from Wendy to take web rtc
as a possible
[27]http://lists.w3.org/Archives/Public/public-web-security/201
4Apr/0006.html
[27]
http://lists.w3.org/Archives/Public/public-web-security/2014Apr/0006.html
Virginie: actions; e.g. Wendy's thinking on webrtc and Web
Security model
... end these calls with call for volunteers, info share
<virginie> [28]https://www.w3.org/Security/wiki/IG
[28] https://www.w3.org/Security/wiki/IG
Virginie: e.g. volunteers for web security guidelines
<virginie>
[29]https://www.w3.org/Security/wiki/IG/W3C_spec_review
[29] https://www.w3.org/Security/wiki/IG/W3C_spec_review
<virginie>
[30]https://www.w3.org/Security/wiki/IG/W3C_spec_review/Securit
y_Guidelines
[30]
https://www.w3.org/Security/wiki/IG/W3C_spec_review/Security_Guidelines
virginie: thanks, and keep in touch on the list
[adjourned]
<antonio> thank you all
<virginie> thanks antonio, dave and all participants
- --
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/ +1.617.863.0613 (mobile)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTa8WMAAoJENTy3wcgk0elVFEP/3Uqh+55Qcx7QkWOAbFdhJlC
O0TqyEA6k+ZIW1aPetIb19yLMc8pErp6KTU1wBT7DRpd3b7lztZPAMwqwIP5EExb
km6rGuSEXkFLOwRRntn5BjvnfRW+vxkVo5nCmmv/EPECdbf7ePvd9cu7exDH2Vl8
sXvunjlWXfzcN5eGfHZ77Y06W2iWmK1XTv5zm3z1dRnCPZ+LpA2tJPxxl4tp5skR
GcxogJ31inwOmFbfrZPPLpmlDdq+TaOGvENRFcWls6lruc0zN+ms++GrL0yt1Fla
d+AYEF1xXkZ1iOV9bjoa8tAlw0XM9zDaT39x4ZHkHUSbHC8HrCf6pFE3LIb9FMXH
wJw/JVqdOCJIavsmuy3HcD258u0cOR1PgQ/0UmZplD/Tu+URH559Rj3wLQX+ntLj
kkbGpKhfcKR0XZMXJ+qBgeyKBYwoPKXCFSkeCO061xsKRfj8xpmP05T3VFYsiQfp
lGxV8Y/LgRN79XZIXJYLGWx3obHbkTLKtr71c3Du/VMJCbEjK944OKmAuATiLVg5
0EtdefMokpgDAIa9HE2/n9dNRfheZANxXaeKrtHKMSWMBgioVbcyBfKjBerupgM3
K3Sa2dsUXiCZ5AFwtYQlCbJD8we5XZgtLbwLJbDq2iJJj+tPqI2btvNaf+9+uCwM
uh16sC9XDMx49YofzYhe
=JE8F
-----END PGP SIGNATURE-----
Received on Thursday, 8 May 2014 17:57:40 UTC