This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Working Session - Browser Security
| Working Sessions Operational Rules - Please see here the general frame of rules. |
|---|
| WORKING SESSION IDENTIFICATION | ||||||
|---|---|---|---|---|---|---|
| Work Session Name | ISWG Browser Security | |||||
| Short Work Session Description | Brainstorming on how to introduce more useful security into our browsers | |||||
| Related Projects (if any) |
OWASP ISWG (Intrinsic Security Working Group) = OWASP Intrinsic Security Working Group - Browser Security | |||||
| Email Contacts & Roles | Chair Arshan Dabirsiaghi |
Secretary Kuai Hinojosa |
Mailing list Subscription Page | |||
| WORKING SESSION SPECIFICS | ||||||
|---|---|---|---|---|---|---|
| Objectives |
| |||||
| Venue/Date&Time/Model | Venue OWASP EU Summit Portugal 2008 |
Date&Time November 4, 2008 8:30 |
Discussion Model Everybody is a Participant | |||
| WORKING SESSION OPERATIONAL RESOURCES | ||||||
|---|---|---|---|---|---|---|
| Projector, whiteboards, markers, Internet connectivity, power | ||||||
| WORKING SESSION ADDITIONAL DETAILS | ||||||
|---|---|---|---|---|---|---|
- Time: 30 mins Introduction - Time: 2 hrs 00 mins Identify and generate advice on short term issues with relatively low impact on adoption and site-breakage Analyze security feature matrix and compare browser features - Time: 2 hrs 30 mins Address issues in the current HTML5 specifications - Time: 3 hrs 30 mins Long term: General policy enforcement (NoScript as a model for browsers?) Long term: JavaScript policy-driven sandboxing - Remaining time: Identify 5 Key Browser Risks and select the top 3, Build a proposal to target key players in the industry and ask for their support Confirm point leads, roles and responsibilities Related resources: | ||||||
| WORKING SESSION OUTCOMES | ||
|---|---|---|
| Statements, Initiatives or Decisions | Proposed by Working Group | Approved by OWASP Board |
| OWASP Top 10 Browser Wishlist. | Successful. Top 10 browser security features identified. | |
| Actionable advice and technical arguments for HTML5 feature set. | Unsuccessful. HTML5 was not discussed due to time constraints. | |
| Establish OWASP points-of-contact for W3C. | Unsuccessful. W3C relationship was not discussed due to time constraints. | |
| Understand vendor perspective | Successful due to vendor insight from Peleus Uhley. | |
| Identify top 3 risks to browsers | Successful. A draft of an open letter to the browsers from the ISWG was created. Awaiting signing from security, industry and standards organizations before publishing. | |
| Begin promotional activities | Successful. Blog postings are planned, and talking points have been created. | |
Working Session Participants
| WORKING SESSION PARTICIPANTS | ||||||
|---|---|---|---|---|---|---|
| 1 | Mario Heiderich | Independent | Participant | |||
| 2 | Gareth Heyes | Independent | Participant | |||
| 3 | Marcin Wielgoszewski | Protiviti | Participant | |||
| 4 | Adam Baso | Symantec | Participant | |||
| 5 | Achim Hoffmann | Independent | Participant | |||
| 6 | David Rook | Realex Payments | Participant | |||
| 7 | Peleus Uhley | Adobe Systems | Participant | |||
| 8 | Giorgio Fedon | Minded Security | Participant | |||
| 9 | Esteban ribicic | HP | Participant | |||
| 10 | Nishi Kumar | Fidelity Nationals | Participant | |||
| 11 | Alex Smolen | Foundstone | Participant | |||
| 12 | Tom Brennan | WhiteHat Security | Participant | |||
| 13 | Georg Hess | Art of Defence | Participant | |||
| 14 | Ljubibratic Gradimir | Telecom Serbia | Participant | |||
| 15 | Achim Hoffmann | SecureNet | Participant | |||
| 16 | Edgar Vasquez | Softtek | Participant | |||
| 17 | Michael Coates | Aspect Security | Participant | |||
| 18 | David Campbell | OWASP Denver | Participant | |||
| 19 | Jeff Williams | Aspect Security | Participant | |||
| 20 | Kuai Hinojosa | NYU | Participant | |||
