Secure the Web Forward

13 September 2023


Bert, Dan_Appelquist, dom__, hober, labrax, sangwhan, tidoust, zcorpan
Daniel Appelquist

Meeting minutes

Slideset: https://www.w3.org/2023/Talks/TPAC/breakouts/secure-forward/

DKA_: Welcome to the Secure the Web Forward session. About securing the web!
… Put some additional energy behind web security.
… Not intended to duplicate the work in WebAppSec, but rather other aspects on software security that are maybe not being addressed enough in W3C and by web devs in general
… Bridge software security ecosystem and web dev ecosystem.
… I've been participating in the OSS Foundation, with Arnaud.
… Some language used there is not familiar with language used in web dev circles.
… Open source ecosystem may not be familiar with the issues that most web devs have with regard to security.
… Next week, I'm going to run a companion session to this in the OSS meeting.
… Part of this is converging on a common understanding
… That is important for the future of the web.
… People are using the web for all sorts of aspects with heavily personal information. All mediated through the web.
… Very important to strengthen the web

[Slide 5]

[tidoust quickly introduces the results of the MDN short survey run in May 2023]

DKA_: Having been involved in UK government in the past, I'd like to emphasize the regulatory requirements here.
… All in flux, sometimes hard to understood by developers.

Arnaud: What's happening is that open source is under attack. There isn't a piece of software out there that does not use open source.
… This has led to a situation where bad actors have realized that this is weak spot, and target open source.
… Government are starting to realize that this is costing a lot of money.
… There is a public safety element to it.
… The US government started by requiring to list the components that are in a particular piece of software.
… In the web space, we import a lot of things. Anybody installing an npm package knows that. The amount of dependencies is crazy.
… The Cyber Security Resiliency Act puts the liability on the software, no more "use at your own risk".
… A whole bunch of efforts that is happening.
… Such a big problem that needs to be addressed from different perspectives.
… One of the most fascinating attack that I've seen is typo squatting. You just change a character and publish a new package, which gets picked up by people, and then you control further releases.
… Some tools can be used to scan your code, to alert you when there is an import.
… Some tools will scour GitHub repositories.
… It's not just about vulnerabilities, also about "do you use peer reviews?"
… It seems a good idea to bring this in the W3C space. The problem is bigger than the usual discussions.
… Of course, we talk about security in W3C, but not from that overall perspective.

[Slide 6]

Arnaud: We thought that this was an opportunity to discuss and see what we can do

[Slide 7]

DKA_: "Software supply chain". That's a term that I hadn't heard about before last year. Open SSF talks about that all the time.
… Software supply chain gets talked about in terms of a bill of material.
… That's a situation where there are two competing standards, because, you know, standards.
… Has anybody integrated SBOM in a development pipeline?

labrax: Member of the SPDX community.

<labrax> OSS Review Toolkit

<dom__> SPDX

<dom__> A suite of tools to assist with reviewing Open Source Software dependencies.

labrax: I developed an OSS Review Toolkit to get modular feedback on software analysis.
… If modules all speak the same SPDX, that could greatly help with interoperability.
… Generally, false positives tend to be a problem

Camille: Security in Chrome. CSP seems a preliminary to any kind of inventory such as the one we're talking about.

DKA_: That's the question that we should be asking.
… What's the context under which this can run in browsers.
… This is also about looking about dependencies of the code you injected in the first place.
… Considering all the dependencies that software has, it seems to me that there is value in applying SBOM to web applications.
… We've heard about a CycloneDX plugin for web apps, but that feels like a new possible area of work

<dhuigens> s/SPI/CSP I think

dom: Intersection between understanding what developers ship in their application and potential risks that this creates
… is something that is interesting to explore.
… In many cases, the code that we ship cannot be easily tied back to the libraries that were used because of compilation or transpilation.
… How that ties to SRI, CSP, sourcemaps, and other technicologies seems a useful space of exploration

DKA_: Maybe we can talk a bit about what OWD is doing

<Jun> https://slsa.dev

fscholz: I've been looking at the material that exists on MDN related to security, and trying to figure out what to make of the survey results that we've seen to improve the documentation.
… If you look at the section in MDN docs that tries to educate developers, it is actually quite thin, so there is room for improvement. For the workshop, I'd like to prepare an assessment of what we have right now on MDN
… And come up with a set of possibe priorities of stuff to improve or add.
… OWD is Open Web Docs.
… Based on donations from companies, we contribute to improving MDN.

DKA_: It's clear from the survey that it's needed.

mfinkel: From Apple. IETF has a working group on software supply chain.
… Still ongoing, the path is not entirely clear yet, cross-organization collaboration would be useful.
… It's clear that securing the web is hard and that developers in general have a hard time understanding what to do.

<dom__> Supply Chain Integrity, Transparency, and Trust (scitt)

<michaelficarra> can someone put the name of that IETF WG in the chat?

Arnaud: The IETF group is SCITT, right? I learned about it yesterday. Agree we should touch base.

<michaelficarra> crossed paths, thanks

<Zakim> labrax, you wanted to discuss E2E

<mfinkel> https://datatracker.ietf.org/wg/scitt/about/

labrax: When I use the web, personal perspective, I trust end-to-end encryption
… A number of applications have e2e encryption.
… The problem is when the application is served from the same site you log into.
… This creates a sort a man-in-the-middle situation.
… There are workarounds.
… We need to be able to keep an eye on an application when it updates behind the scene.

dhuigens: We will be talking about that in the Friday session of the WebAppSec working group.
… Focusing on transparency, e.g., transparency log where you could submit the source code so that the browser could ensure that the source code it receives is the same as the one that the server is supposed to serve.
… Of course, you still need something like an SBOM to be able to check that the bill that's there corresponds, but that seems like a complementary topic.
… Source code transparency, that's what I've been calling it so far, but the name is not here to stay. Just a proposal for now.

DKA_: I'll be sitting with the WebAppSec group later this week. That sounds well aligned with the goals that we're looking into here.
… Worried about taking something that was not written for the web and applying to the web.

dhuigens: Going to be Friday at 2:30pm I think.

[Slide 8]

tidoust: From a dev perspective, integrating security aspects into the development lifecycle is an open question to me. A bit like tests a long time ago, where you would develop the app, then worry about tests.

DKA_: There are different chains in the development flow. Development tools. Build tools.
… What do you need to do as a developer to integrate things in the development workflow.

labrax: One of the biggest challenges is that, as an industry, we don't know whom to trust.
… Author, developer, browser.
… Companies such as RedHat.
… Where you put the line of trust has impacts on the approach you're going to take.

<Bert> https://www.w3.org/2023/03/secure-the-web-forward/

W3C Workshop Secure the Web Forward

Minutes manually created (not a transcript), formatted by scribe.perl version 221 (Fri Jul 21 14:01:30 2023 UTC).


Succeeded: s/SPI/SRI

Failed: s/SPI/CSP I think

Succeeded: s/SRI/CSP

Maybe present: Arnaud, Camille, dhuigens, DKA_, dom, fscholz, mfinkel

All speakers: Arnaud, Camille, dhuigens, DKA_, dom, fscholz, labrax, mfinkel, tidoust

Active on IRC: Bert, dhuigens, DKA_, dom__, hober, Jun, labrax, mfinkel, michaelficarra, sangwhan, tidoust, zcorpan