https://www.w3.org/2019/01/07-wot-sec-minutes.html
https://www.w3.org/2018/12/17-wot-sec-minutes.html
McCool: going through the min from
jan-7
... would accept the minutes
... any objections?
(none)
McCool: and the previous one
... a typo s/ans/and/
... also s/decisio non/decision on/
Kaz: just fixed
McCool: would accept the
minutes
... any objections?
(none)
McCool: both the minutes are approved now
McCool: Elena, status?
Elena: lots of penetration
tests
... need to set our goals
https://github.com/w3c/wot-security-testing-plan
McCool: we should start with OWASP,
etc., as the place for recommended tools
... and category of tools
... cross-site scripting
... we're most interested in Web-based security
Elena: top-10 tools?
... each category has one tool?
McCool: Web API security
... we're trying to protect devices
... malicious HTML is not our target
... the question on penetration tests
... we could start with one broad category
... (goes to "Web Service Security Cheat Sheet")
<McCool> https://www.owasp.org/index.php/Web_Service_Security_Testing_Cheat_Sheet
McCool: maybe good place to start
with
... here are some tools
... also testing phase
... and category too
Elena: cross-site scripting
... starting with the list and think what is needed?
McCool: vulnerability discovery
Elena: what are we trying to test?
McCool: WoT interface describes web
service interface
... we care about those services
... security bleach
... focus here is HTTP-based APIs
... don't think there are tools for fuzzing for CoAP at the
moment
McCool: first of all, would like to include reference to OWASP
Elena: what about what W3C already
have?
... various security activities
McCool: we want OWASP reference,
vulnerability test, fuzz test, ...
... and based on the OWASP cheat sheet page, some more
topics
... we should go through this list and see what would be
relevant
... not sure what "manual test" here means
... but maybe some catalog of know vulnerabilities, etc.
... (adds catalog of know vulnerabilities, protocol/header
analysis, to "To do" list)
Elena: you need to do vulnerability of discovery anyway
McCool: (adds privilege escalation, manual)
Elena: usually called "penetration test"
McCool: another large category should be "denial of services"
Elena: you can keep the service down if needed
McCool: (moves "denial of service"
under "penetration testing")
... (also adds "authorization bypass")
... we should cite OWASP things
... we have some citations here
... functional testing is simply paraphrasing this...
... "Does the Thing do what the TD says it does in terms of
security, and only that?"
... fundamentally, we're validating TDs
... check the security portion of the TD
... (adds another section for "Best Practices")
... really want to identify know bad practices, such as "basic
auth + http"
... for which a vulnerability is known
... it is know from the TD that the system is vulnerable
... (adds several points to "Vulnerability Discovery")
... Fuzz Testing: example, burp suite
... catalog of know vulnerabilities: don't know from the TD
that it is vulnerable, but a test exists. example,
metasploit(?)
... (also add another sub section for "Code Analysis")
... Static Analysis: example, Klockwork, Verity
... Known NIST CVEs
Elena: ExploitDB
McCool: difference between
vulnerability and exploit
... goal of testing is to find vulnerabilities
... would like to capture the points
... (goes through the updated testing plan document)
... would add "Suggested Test Procedure"
McCool: will be traveling next
week
... so this is the last security call before the f2f
... should have an additional call?
Elena: your availability?
McCool: let's do emailing
... will be available on Wed, Thu and Fri next week
... let's discuss by email
Elena: ok
... will you be at EST?
McCool: yes
... we can aim Thursday and think about the possible time
... discussion between you and me beforehand, and have more
feedback during f2f
Elena: ok
McCool: Wednesday work? or Friday?
Elena: Friday would be empty
McCool: let's think about the time later
Elena: ok
McCool: workshop call and architecture call on wed?
Kaz: think we'll have those
calls
... will send the webex coordinate for the architecture call to
the group later
[adjourned]
See the Action wiki.