Purpose of this workshop
The world wide web is the most pervasive development and deployment platform for applications and services. Its distributed, non-curated and amorphous nature, as well as the lack of friction, is at the same time its great differentiator and an enormous challenge, particularly in the arena of security. Security vulnerabilities in applications are a target for bad actors. When applications are deployed on the web across a heterogeneous environment of cloud providers, networks and browsers, the potential for exploitation of these vulnerabilities is increased. Insecure web applications can be a vector for malware, privacy violations, ransomware and unwanted surveillance.
There has been a recent movement to more secure software development and deployment platforms. There have also been many new features and specifications added to web platform technologies to strengthen security. However these efforts are sometimes disconnected from each other, leading to a lack of clear guidance for web developers about the threats, mitigations and indeed the role web developers play in ensuring their applications are secure.
Possible outcomes include:
- Identify specific work on documentation that could be useful for web developers to help them make better use of existing web security technologies;
- Determine what updates are needed in commonly used libraries;
- Describe potential new web features / new language features in commonly used programming languages;
- Call for updates to commonly used web standard APIs;
- Collaboration plans between web standards and open source security initiatives;
- Plan for producing concise guidance on security issues that is aimed at web developers.
Topics covered
- How to bring the “secure software supply chain” approach to the web development community.
- Guidance for different types of web developers who work at different levels of the stack.
- How to make emerging web application security standards and technologies easier to use and adopt by web developers.
- How can open source security focused efforts better support the web developer community?
- How can Open Source security review processes serve as inspiration for review of new web specifications?
Location and Time
To be determined.
Important Dates
Due to low level of submissions, the Program Committee is re-evaluating the timing and format of the workshop. This page will be updated once these new plans emerge - please let group-secure-the-web-forward@w3.org know if you want to be alerted.
Apr 24
Program Committee
- Dan Appelquist (Snyk) - chair
- Hadley Beeman (TAG)
- Harold Blankenship (OWASP)
- Jory Burson (OpenJS)
- Robin Ginn (OpenJS)
- Dominique Hazael-Massieux (W3C)
- Arnaud Le Hors (IBM)
- Christopher Robinson (Intel, OpenSSF)
- Mike West (Google)
- Vandana Verma Sehgal (OWASP)
What is W3C?
The mission of the World Wide Web Consortium (W3C) is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe. W3C well-known standards HTML and CSS are the foundational technologies upon which websites are built. W3C works on ensuring that all foundational Web technologies meet the needs of civil society, in areas such as accessibility, internationalization, security, and privacy. W3C also provides the standards that undergird the infrastructure for modern businesses leveraging the Web, in areas such as entertainment, communications, digital publishing, and financial services. That work is created in the open, provided for free and under the groundbreaking W3C Patent Policy.
W3C's vision for "One Web" brings together thousands of dedicated technologists representing more than 400 member organizations and dozens of industry sectors. W3C is a public-interest non-profit organization incorporated in the United States of America, led by a Board of Directors and employing a global staff across the globe.
Who is OWASP?
The Open Worldwide Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
What is the OpenJS Foundation?
OpenJS Foundation the home of high-impact, supply-chain critical open source JavaScript projects including Electron, jQuery, Node.js, and many more. Our mission is to support the healthy growth of JavaScript and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities that benefit the ecosystem as a whole.
What is the OpenSSF?
The OpenSSF is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.