W3C

- DRAFT -

Web Security IG

06 May 2014

Agenda

See also: IRC log

Attendees

Present
+1.613.287.aaaa, +1.408.412.aabb, +33.4.42.36.aacc, BHill, karen_oDonoghue, WSeltzer, +1.613.287.aadd, terri, virginie, christine, Harold_Johnson, fjh, Sanjiv, antonio, Dsr, Frederick_Hirsch
Regrets
Chair
Virginie Galindo
Scribe
wseltzer

Contents


Date: 6 May 2014

<antonio> 41 is switzerland

<virginie> http://lists.w3.org/Archives/Public/public-web-security/2014May/0000.html

Welcome

Virginie: Welcome, review agenda

OWASP presentation (by Antonio FONTES from OWASP)

Virginie: Wanted to increase interaction between OWASP and W3C on Web security

Antonio: I work in info sec, specializing in web app security
... involved in OWASP since 2008

<virginie> OWASP foundation website : https://www.owasp.org/index.php/Main_Page

Antonio: not official representative
... Open Web Application Security Project
... organized around foundation, mission to help management make informed decisions on web application security
... guidance, tools, info, frameworks, best practices, references
... to manage lifecycle of applications
... Documents, conferences,

<virginie> OWASP conferences https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference

Antonio: Chapters, more than 200 worldwide

<virginie> OWASP chapters https://www.owasp.org/index.php/OWASP_Chapter

Antonio: Chapters build connection to local level

Virginie: How can we interact, work with you on deliverables?

Antonio: Should talk about mailing lists
... have more than 36k members registered on lists
... to share info, get feedback

OWASP mailing lists: https://lists.owasp.org/mailman/listinfo

Antonio: mailing lists could be avenue for collaboration
... Documentation project sometimes reviews externally produced docs
... to provide guidance, suggestions
... Top 10 Web App Sec Security Risks
... Every year, collect factual data to identify risks
... used by orgs for reference, fast overview

<virginie> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Antonio: Review against this top 10, at least
... ASVS
... Aims at standardizing entire verification set

<virginie> https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project

Antonio: everything you should verify in a web app that asserts it's secure
... ZAP Proxy, a tool that helps testing of web apps

<virginie> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Antonio: downloadable from OWASP
... ESAPI, library of secure code
... questions?

<antonio> the library is the ESAPI

<antonio> Entreprise Security API

<virginie> ESAPI (The OWASP Enterprise Security API) https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

wseltzer: We look forward to discussing closer work with OWASP, including possible collaboration on reviews

Virginie: Great to hear of the number of people involved in OWASP activities

fjh: Do you have info on usage of verifications
... @@

antonio: we are trying get better usage information
... we know governments are using ASVS
... as standard for internal development
... We have seen Top 10 integrated in almost all security reference

<fjh> second question was whether you are seeing anything related to Target breach, which has had big business impact, any new work based on this

antonio: We have no large standards-level reference to ASVS

<fjh> thanks, that all makes sense regarding asvs

antonio: hard to get reference to 140 controls

fjh: Did Target breach have repercussions?

Antonio: Yes. Any breach that gets lots of media attention calls attention to security
... but we don't often get details about the vulnerability, whereas we did in Target.

<fjh> yes, target will be a great use case for justification for need of security analysis etc

virgine: We'll see how to collaborate in follow-up

<fjh> thanks Antonio for excellent summary

SysApp WG security model (by Dave RAGGETT from W3C)

<dsr> http://www.w3.org/2012/sysapps/

Virgine: Thanks Dave Raggett for joining to discuss SysApps

dsr: SysApps is looking at giving web developers rich access to device capabilities
... requiring greater levels of trust than normal APIs

<dsr> http://www.w3.org/2012/09/sysapps-wg-charter.html

dsr: started with 2 phases of work, may re-charter
... Rich capabilities, example Sony's work on access to raw sockets
... That's not something you'd want to give to arbitrary web app
... 2 classes of apps. Packaged install, hosted app on website
... For both, thinking about manifest
... earlier w3c work on widgets not widely deployed
... JSON manifest started in SysApps, transferring to WebApps
... info about the app, e.g. full-screen
... App URI, allowing apps, whether hosted or packaged, to download resources in the same way
... Security and permissions
... open meeting re trust and permissions
... also rechartering

<virginie> doodle for participating http://doodle.com/6mequ2befp3ax592#table

dsr: different approaches: Native apps, Android list permissions up-front
... iOS run-time request to user
... relates to EULAs
... How should we do this on the Web?
... experence from Device APIs, Geoloc
... privacy
... privacy footprint
... do users understand questions they're being asked?

terri: question on manifests and security

dsr: work on manifests in webapps
... some companies would like to add permissions in manifest
... if we want to allow devs to deal with manifests, need standard naming

<christine> q

fjh: Is it correct to say security model needs work, using th workshop to progress?

dsr: Yes, runtime security model discontinued

christine: Please come talk to PING regarding privacy considerations

dsr: thanks, will do

terri: How does sysapps interact with CSP?

dsr: more webapps than sysapps
... some discussion, still ongoing
... woudl be able to use CSP, based on same-origin model
... other things to do with trust
... how does that affect permisioning model
... browsers vary on how they remember "clicked yes"
... based on HTTPs

virginie: thanks, we'll loook forward to hearing about the workshop

Report from W3C Web Payment Workshop, with a special focus on identity, security and privacy, and a little bit of STRINT

Virgine: reports from workshops

<virginie> Payment report http://www.w3.org/2013/10/payments/final_report.html

virginie: discussion of privacy and security; several references to trusted user interface
... re payments, w3c is looking to charter new Interest Group

<virginie> STRINT report https://tools.ietf.org/html/draft-iab-strint-report-00

<virginie> What may fall in W3C http://lists.w3.org/Archives/Public/public-web-security/2014Apr/0008.html

Status on next W3C Workshop related to secure token and secure services,

Virginie: Worshop on secure tokens and hardware authentication
... Sept 10-11 in Mountain View
... has been approved by w3c, will share info soon
... working with FIDO Alliance, smartcard vendors
... how to integrate hw security for secure authentication

Action items for the IG

<virginie> We have a recent proposal from Wendy to take web rtc as a possible http://lists.w3.org/Archives/Public/public-web-security/2014Apr/0006.html

Virginie: actions; e.g. Wendy's thinking on webrtc and Web Security model
... end these calls with call for volunteers, info share

<virginie> https://www.w3.org/Security/wiki/IG

Virginie: e.g. volunteers for web security guidelines

<virginie> https://www.w3.org/Security/wiki/IG/W3C_spec_review

<virginie> https://www.w3.org/Security/wiki/IG/W3C_spec_review/Security_Guidelines

virginie: thanks, and keep in touch on the list

[adjourned]

<antonio> thank you all

<virginie> thanks antonio, dave and all participants

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.138 (CVS log)
$Date: 2014-05-06 17:01:00 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.138  of Date: 2013-04-25 13:59:11  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/scree/screen/
Succeeded: s/shoudl/should/
Succeeded: s/wseltzer: @@/wseltzer: We look forward to discussing closer work with OWASP, including possible collaboration on reviews/
Succeeded: s/@@API/ESAPI/
No ScribeNick specified.  Guessing ScribeNick: wseltzer
Inferring Scribes: wseltzer
Default Present: +1.613.287.aaaa, +1.408.412.aabb, +33.4.42.36.aacc, BHill, karen_oDonoghue, WSeltzer, +1.613.287.aadd, terri, virginie, christine, Harold_Johnson, fjh, Sanjiv, antonio, Dsr
Present: +1.613.287.aaaa +1.408.412.aabb +33.4.42.36.aacc BHill karen_oDonoghue WSeltzer +1.613.287.aadd terri virginie christine Harold_Johnson fjh Sanjiv antonio Dsr Frederick_Hirsch
Agenda: http://lists.w3.org/Archives/Public/public-web-security/2014May/0000.html
Found Date: 06 May 2014
Guessing minutes URL: http://www.w3.org/2014/05/06-websec-minutes.html
People with action items: 

[End of scribe.perl diagnostic output]