See also: IRC log
Date: 6 May 2014
<antonio> 41 is switzerland
<virginie> http://lists.w3.org/Archives/Public/public-web-security/2014May/0000.html
Virginie: Welcome, review agenda
Virginie: Wanted to increase interaction between OWASP and W3C on Web security
Antonio: I work in info sec,
specializing in web app security
... involved in OWASP since 2008
<virginie> OWASP foundation website : https://www.owasp.org/index.php/Main_Page
Antonio: not official
representative
... Open Web Application Security Project
... organized around foundation, mission to help management
make informed decisions on web application security
... guidance, tools, info, frameworks, best practices,
references
... to manage lifecycle of applications
... Documents, conferences,
<virginie> OWASP conferences https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference
Antonio: Chapters, more than 200 worldwide
<virginie> OWASP chapters https://www.owasp.org/index.php/OWASP_Chapter
Antonio: Chapters build connection to local level
Virginie: How can we interact, work with you on deliverables?
Antonio: Should talk about
mailing lists
... have more than 36k members registered on lists
... to share info, get feedback
OWASP mailing lists: https://lists.owasp.org/mailman/listinfo
Antonio: mailing lists could be
avenue for collaboration
... Documentation project sometimes reviews externally produced
docs
... to provide guidance, suggestions
... Top 10 Web App Sec Security Risks
... Every year, collect factual data to identify risks
... used by orgs for reference, fast overview
<virginie> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Antonio: Review against this top
10, at least
... ASVS
... Aims at standardizing entire verification set
<virginie> https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
Antonio: everything you should
verify in a web app that asserts it's secure
... ZAP Proxy, a tool that helps testing of web apps
<virginie> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Antonio: downloadable from
OWASP
... ESAPI, library of secure code
... questions?
<antonio> the library is the ESAPI
<antonio> Entreprise Security API
<virginie> ESAPI (The OWASP Enterprise Security API) https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
wseltzer: We look forward to discussing closer work with OWASP, including possible collaboration on reviews
Virginie: Great to hear of the number of people involved in OWASP activities
fjh: Do you have info on usage of
verifications
... @@
antonio: we are trying get better
usage information
... we know governments are using ASVS
... as standard for internal development
... We have seen Top 10 integrated in almost all security
reference
<fjh> second question was whether you are seeing anything related to Target breach, which has had big business impact, any new work based on this
antonio: We have no large standards-level reference to ASVS
<fjh> thanks, that all makes sense regarding asvs
antonio: hard to get reference to 140 controls
fjh: Did Target breach have repercussions?
Antonio: Yes. Any breach that
gets lots of media attention calls attention to security
... but we don't often get details about the vulnerability,
whereas we did in Target.
<fjh> yes, target will be a great use case for justification for need of security analysis etc
virgine: We'll see how to collaborate in follow-up
<fjh> thanks Antonio for excellent summary
<dsr> http://www.w3.org/2012/sysapps/
Virgine: Thanks Dave Raggett for joining to discuss SysApps
dsr: SysApps is looking at giving
web developers rich access to device capabilities
... requiring greater levels of trust than normal APIs
<dsr> http://www.w3.org/2012/09/sysapps-wg-charter.html
dsr: started with 2 phases of
work, may re-charter
... Rich capabilities, example Sony's work on access to raw
sockets
... That's not something you'd want to give to arbitrary web
app
... 2 classes of apps. Packaged install, hosted app on
website
... For both, thinking about manifest
... earlier w3c work on widgets not widely deployed
... JSON manifest started in SysApps, transferring to
WebApps
... info about the app, e.g. full-screen
... App URI, allowing apps, whether hosted or packaged, to
download resources in the same way
... Security and permissions
... open meeting re trust and permissions
... also rechartering
<virginie> doodle for participating http://doodle.com/6mequ2befp3ax592#table
dsr: different approaches: Native
apps, Android list permissions up-front
... iOS run-time request to user
... relates to EULAs
... How should we do this on the Web?
... experence from Device APIs, Geoloc
... privacy
... privacy footprint
... do users understand questions they're being asked?
terri: question on manifests and security
dsr: work on manifests in
webapps
... some companies would like to add permissions in
manifest
... if we want to allow devs to deal with manifests, need
standard naming
<christine> q
fjh: Is it correct to say security model needs work, using th workshop to progress?
dsr: Yes, runtime security model discontinued
christine: Please come talk to PING regarding privacy considerations
dsr: thanks, will do
terri: How does sysapps interact with CSP?
dsr: more webapps than
sysapps
... some discussion, still ongoing
... woudl be able to use CSP, based on same-origin model
... other things to do with trust
... how does that affect permisioning model
... browsers vary on how they remember "clicked yes"
... based on HTTPs
virginie: thanks, we'll loook forward to hearing about the workshop
Virgine: reports from workshops
<virginie> Payment report http://www.w3.org/2013/10/payments/final_report.html
virginie: discussion of privacy
and security; several references to trusted user
interface
... re payments, w3c is looking to charter new Interest
Group
<virginie> STRINT report https://tools.ietf.org/html/draft-iab-strint-report-00
<virginie> What may fall in W3C http://lists.w3.org/Archives/Public/public-web-security/2014Apr/0008.html
Virginie: Worshop on secure
tokens and hardware authentication
... Sept 10-11 in Mountain View
... has been approved by w3c, will share info soon
... working with FIDO Alliance, smartcard vendors
... how to integrate hw security for secure authentication
<virginie> We have a recent proposal from Wendy to take web rtc as a possible http://lists.w3.org/Archives/Public/public-web-security/2014Apr/0006.html
Virginie: actions; e.g. Wendy's
thinking on webrtc and Web Security model
... end these calls with call for volunteers, info share
<virginie> https://www.w3.org/Security/wiki/IG
Virginie: e.g. volunteers for web security guidelines
<virginie> https://www.w3.org/Security/wiki/IG/W3C_spec_review
<virginie> https://www.w3.org/Security/wiki/IG/W3C_spec_review/Security_Guidelines
virginie: thanks, and keep in touch on the list
[adjourned]
<antonio> thank you all
<virginie> thanks antonio, dave and all participants
This is scribe.perl Revision: 1.138 of Date: 2013-04-25 13:59:11 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/scree/screen/ Succeeded: s/shoudl/should/ Succeeded: s/wseltzer: @@/wseltzer: We look forward to discussing closer work with OWASP, including possible collaboration on reviews/ Succeeded: s/@@API/ESAPI/ No ScribeNick specified. Guessing ScribeNick: wseltzer Inferring Scribes: wseltzer Default Present: +1.613.287.aaaa, +1.408.412.aabb, +33.4.42.36.aacc, BHill, karen_oDonoghue, WSeltzer, +1.613.287.aadd, terri, virginie, christine, Harold_Johnson, fjh, Sanjiv, antonio, Dsr Present: +1.613.287.aaaa +1.408.412.aabb +33.4.42.36.aacc BHill karen_oDonoghue WSeltzer +1.613.287.aadd terri virginie christine Harold_Johnson fjh Sanjiv antonio Dsr Frederick_Hirsch Agenda: http://lists.w3.org/Archives/Public/public-web-security/2014May/0000.html Found Date: 06 May 2014 Guessing minutes URL: http://www.w3.org/2014/05/06-websec-minutes.html People with action items:[End of scribe.perl diagnostic output]