W3C home > Mailing lists > Public > public-web-security@w3.org > May 2014

Minutes of 6 May WebSec IG call

From: Wendy Seltzer <wseltzer@w3.org>
Date: Thu, 08 May 2014 13:57:37 -0400
Message-ID: <536BC591.9070708@w3.org>
To: "public-web-security@w3.org" <public-web-security@w3.org>
Hash: SHA1

Thanks to IG members and guests Antonio Fontes (OWASP) and Dave
Raggett (W3C SysApps) for joining the May WebSec call.

Draft Minutes are posted here, and in text below:

- - OWASP presentation (by Antonio FONTES from OWASP)
- - SysApp WG security model (by Dave RAGGETT from W3C)
- - Report from W3C Web Payment Workshop, with a special focus on
identity, security and privacy, and a little bit of STRINT
- - Status on next W3C Workshop related to secure token and secure services,
- - Action items for the IG

- --Wendy

- ----minutes----


   Virginie: Welcome, review agenda

OWASP presentation (by Antonio FONTES from OWASP)

   Virginie: Wanted to increase interaction between OWASP and W3C
   on Web security

   Antonio: I work in info sec, specializing in web app security
   ... involved in OWASP since 2008

   <virginie> OWASP foundation website :

     [13] https://www.owasp.org/index.php/Main_Page

   Antonio: not official representative
   ... Open Web Application Security Project
   ... organized around foundation, mission to help management
   make informed decisions on web application security
   ... guidance, tools, info, frameworks, best practices,
   ... to manage lifecycle of applications
   ... Documents, conferences,

   <virginie> OWASP conferences

     [14] https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference

   Antonio: Chapters, more than 200 worldwide

   <virginie> OWASP chapters

     [15] https://www.owasp.org/index.php/OWASP_Chapter

   Antonio: Chapters build connection to local level

   Virginie: How can we interact, work with you on deliverables?

   Antonio: Should talk about mailing lists
   ... have more than 36k members registered on lists
   ... to share info, get feedback

   OWASP mailing lists:

     [16] https://lists.owasp.org/mailman/listinfo

   Antonio: mailing lists could be avenue for collaboration
   ... Documentation project sometimes reviews externally produced
   ... to provide guidance, suggestions
   ... Top 10 Web App Sec Security Risks
   ... Every year, collect factual data to identify risks
   ... used by orgs for reference, fast overview


     [17] https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

   Antonio: Review against this top 10, at least
   ... ASVS
   ... Aims at standardizing entire verification set



   Antonio: everything you should verify in a web app that asserts
   it's secure
   ... ZAP Proxy, a tool that helps testing of web apps


     [19] https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

   Antonio: downloadable from OWASP
   ... ESAPI, library of secure code
   ... questions?

   <antonio> the library is the ESAPI

   <antonio> Entreprise Security API

   <virginie> ESAPI (The OWASP Enterprise Security API)


   wseltzer: We look forward to discussing closer work with OWASP,
   including possible collaboration on reviews

   Virginie: Great to hear of the number of people involved in
   OWASP activities

   fjh: Do you have info on usage of verifications
   ... @@

   antonio: we are trying get better usage information
   ... we know governments are using ASVS
   ... as standard for internal development
   ... We have seen Top 10 integrated in almost all security

   <fjh> second question was whether you are seeing anything
   related to Target breach, which has had big business impact,
   any new work based on this

   antonio: We have no large standards-level reference to ASVS

   <fjh> thanks, that all makes sense regarding asvs

   antonio: hard to get reference to 140 controls

   fjh: Did Target breach have repercussions?

   Antonio: Yes. Any breach that gets lots of media attention
   calls attention to security
   ... but we don't often get details about the vulnerability,
   whereas we did in Target.

   <fjh> yes, target will be a great use case for justification
   for need of security analysis etc

   virgine: We'll see how to collaborate in follow-up

   <fjh> thanks Antonio for excellent summary

SysApp WG security model (by Dave RAGGETT from W3C)

   <dsr> [21]http://www.w3.org/2012/sysapps/

     [21] http://www.w3.org/2012/sysapps/

   Virgine: Thanks Dave Raggett for joining to discuss SysApps

   dsr: SysApps is looking at giving web developers rich access to
   device capabilities
   ... requiring greater levels of trust than normal APIs

   <dsr> [22]http://www.w3.org/2012/09/sysapps-wg-charter.html

     [22] http://www.w3.org/2012/09/sysapps-wg-charter.html

   dsr: started with 2 phases of work, may re-charter
   ... Rich capabilities, example Sony's work on access to raw
   ... That's not something you'd want to give to arbitrary web
   ... 2 classes of apps. Packaged install, hosted app on website
   ... For both, thinking about manifest
   ... earlier w3c work on widgets not widely deployed
   ... JSON manifest started in SysApps, transferring to WebApps
   ... info about the app, e.g. full-screen
   ... App URI, allowing apps, whether hosted or packaged, to
   download resources in the same way
   ... Security and permissions
   ... open meeting re trust and permissions
   ... also rechartering

   <virginie> doodle for participating

     [23] http://doodle.com/6mequ2befp3ax592#table

   dsr: different approaches: Native apps, Android list
   permissions up-front
   ... iOS run-time request to user
   ... relates to EULAs
   ... How should we do this on the Web?
   ... experence from Device APIs, Geoloc
   ... privacy
   ... privacy footprint
   ... do users understand questions they're being asked?

   terri: question on manifests and security

   dsr: work on manifests in webapps
   ... some companies would like to add permissions in manifest
   ... if we want to allow devs to deal with manifests, need
   standard naming

   <christine> q

   fjh: Is it correct to say security model needs work, using th
   workshop to progress?

   dsr: Yes, runtime security model discontinued

   christine: Please come talk to PING regarding privacy

   dsr: thanks, will do

   terri: How does sysapps interact with CSP?

   dsr: more webapps than sysapps
   ... some discussion, still ongoing
   ... woudl be able to use CSP, based on same-origin model
   ... other things to do with trust
   ... how does that affect permisioning model
   ... browsers vary on how they remember "clicked yes"
   ... based on HTTPs

   virginie: thanks, we'll loook forward to hearing about the

Report from W3C Web Payment Workshop, with a special focus on
identity, security and privacy, and a little bit of STRINT

   Virgine: reports from workshops

   <virginie> Payment report

     [24] http://www.w3.org/2013/10/payments/final_report.html

   virginie: discussion of privacy and security; several
   references to trusted user interface
   ... re payments, w3c is looking to charter new Interest Group

   <virginie> STRINT report

     [25] https://tools.ietf.org/html/draft-iab-strint-report-00

   <virginie> What may fall in W3C


Status on next W3C Workshop related to secure token and secure

   Virginie: Worshop on secure tokens and hardware authentication
   ... Sept 10-11 in Mountain View
   ... has been approved by w3c, will share info soon
   ... working with FIDO Alliance, smartcard vendors
   ... how to integrate hw security for secure authentication

Action items for the IG

   <virginie> We have a recent proposal from Wendy to take web rtc
   as a possible


   Virginie: actions; e.g. Wendy's thinking on webrtc and Web
   Security model
   ... end these calls with call for volunteers, info share

   <virginie> [28]https://www.w3.org/Security/wiki/IG

     [28] https://www.w3.org/Security/wiki/IG

   Virginie: e.g. volunteers for web security guidelines


     [29] https://www.w3.org/Security/wiki/IG/W3C_spec_review



   virginie: thanks, and keep in touch on the list


   <antonio> thank you all

   <virginie> thanks antonio, dave and all participants

- -- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

Received on Thursday, 8 May 2014 17:57:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:32 UTC