This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Working Session - Browser Security"

From OWASP

Jump to: navigation, search

Latest revision as of 19:17, 6 November 2008

Working Sessions Operational Rules - Please see here the general frame of rules.

WORKING SESSION IDENTIFICATION
Work Session Name	ISWG Browser Security
Short Work Session Description	Brainstorming on how to introduce more useful security into our browsers
Related Projects (if any)	OWASP ISWG (Intrinsic Security Working Group) = OWASP Intrinsic Security Working Group - Browser Security
Email Contacts & Roles	Chair Arshan Dabirsiaghi	Secretary Kuai Hinojosa	Mailing list Subscription Page

WORKING SESSION SPECIFICS
Objectives	Discuss ongoing HTML5 security research, Discuss further ramifications of HTML5 (cross-site XHR, Access-Control, client storage, etc.), Take a look at security critical areas and discuss possible browser improvements.
Venue/Date&Time/Model	Venue OWASP EU Summit Portugal 2008	Date&Time November 4, 2008 8:30	Discussion Model Everybody is a Participant

WORKING SESSION OPERATIONAL RESOURCES
Projector, whiteboards, markers, Internet connectivity, power

WORKING SESSION ADDITIONAL DETAILS
Browsers to invite: IE, FF, Safari, Opera and Chrome. Agenda: - Time: 30 mins Introduction - Time: 2 hrs 00 mins Identify and generate advice on short term issues with relatively low impact on adoption and site-breakage Analyze security feature matrix and compare browser features - Time: 2 hrs 30 mins Address issues in the current HTML5 specifications - Time: 3 hrs 30 mins Long term: General policy enforcement (NoScript as a model for browsers?) Long term: JavaScript policy-driven sandboxing - Remaining time: Identify 5 Key Browser Risks and select the top 3, Build a proposal to target key players in the industry and ask for their support Confirm point leads, roles and responsibilities Related resources: OWASP_Working_Session_-_Browser_Security_Letters

WORKING SESSION ADDITIONAL DETAILS

Browsers to invite: IE, FF, Safari, Opera and Chrome.
Agenda:

- Time: 30 mins Introduction

- Time: 2 hrs 00 mins Identify and generate advice on short term issues with relatively low impact on adoption and site-breakage Analyze security feature matrix and compare browser features

- Time: 2 hrs 30 mins Address issues in the current HTML5 specifications

- Time: 3 hrs 30 mins Long term: General policy enforcement (NoScript as a model for browsers?) Long term: JavaScript policy-driven sandboxing

- Remaining time:

Identify 5 Key Browser Risks and select the top 3, Build a proposal to target key players in the industry and ask for their support Confirm point leads, roles and responsibilities

Related resources:

OWASP_Working_Session_-_Browser_Security_Letters

WORKING SESSION OUTCOMES
Statements, Initiatives or Decisions	Proposed by Working Group	Approved by OWASP Board
	OWASP Top 10 Browser Wishlist.	Successful. Top 10 browser security features identified.
	Actionable advice and technical arguments for HTML5 feature set.	Unsuccessful. HTML5 was not discussed due to time constraints.
	Establish OWASP points-of-contact for W3C.	Unsuccessful. W3C relationship was not discussed due to time constraints.
	Understand vendor perspective	Successful due to vendor insight from Peleus Uhley.
	Identify top 3 risks to browsers	Successful. A draft of an open letter to the browsers from the ISWG was created. Awaiting signing from security, industry and standards organizations before publishing.
	Begin promotional activities	Successful. Blog postings are planned, and talking points have been created.

Working Session Participants

WORKING SESSION PARTICIPANTS
1	Mario Heiderich	Independent	Participant
2	Gareth Heyes	Independent	Participant
3	Marcin Wielgoszewski	Protiviti	Participant
4	Adam Baso	Symantec	Participant
5	Achim Hoffmann	Independent	Participant
6	David Rook	Realex Payments	Participant
7	Peleus Uhley	Adobe Systems	Participant
8	Giorgio Fedon	Minded Security	Participant
9	Esteban ribicic	HP	Participant
10	Nishi Kumar	Fidelity Nationals	Participant
11	Alex Smolen	Foundstone	Participant
12	Tom Brennan	WhiteHat Security	Participant
13	Georg Hess	Art of Defence	Participant
14	Ljubibratic Gradimir	Telecom Serbia	Participant
15	Achim Hoffmann	SecureNet	Participant
16	Edgar Vasquez	Softtek	Participant
17	Michael Coates	Aspect Security	Participant
18	David Campbell	OWASP Denver	Participant
19	Jeff Williams	Aspect Security	Participant
20	Kuai Hinojosa	NYU	Participant

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Working_Session_-_Browser_Security&oldid=46029"

Category:

OWASP Working Session

@@ Line 31: / Line 31: @@
   | style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''
   | style="width:25%; background:#cccccc" align="center"|'''Venue'''<br>[[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]]
-  | style="width:25%; background:#cccccc" align="center"|'''Date&Time'''<br>November 4, 2008 <br>9:00
+  | style="width:25%; background:#cccccc" align="center"|'''Date&Time'''<br>November 4, 2008 <br>8:30
   | style="width:25%; background:#cccccc" align="center"|'''Discussion Model'''<br>Everybody is a Participant
   |}
@@ Line 54: / Line 54: @@
 - Time: 30 mins
 Introduction
+- Time: 2 hrs 00 mins
+Identify and generate advice on short term issues with relatively low impact on adoption and site-breakage
+Analyze security feature matrix and compare browser features
 - Time: 2 hrs 30 mins
-Action Item: Identify 5 Key Browser Risks and select the top 3
+Address issues in the current HTML5 specifications
+- Time: 3 hrs 30 mins
+Long term: General policy enforcement (NoScript as a model for browsers?)
+Long term: JavaScript policy-driven sandboxing
+- Remaining time:
-- Time: 2 hrs 30 mins
+Identify 5 Key Browser Risks and select the top 3, Build a proposal to target key players in the industry and ask for their support
-Address issues in the current HTML 5 specifications
+Confirm point leads, roles and responsibilities
-- Time: 1 hr 30 mins
+'''Related resources:'''
-Build a proposal to target key players in the industry and ask for their support
+* [[OWASP_Working_Session_-_Browser_Security_Letters]]
-- Time: 30  mins
-Assign point leads, roles and responsibilities
   |}
 {| style="width:100%" border="0" align="center"
@@ Line 76: / Line 83: @@
   | style="width:7%; background:#7B8ABD" align="center"|
   | style="width:46%; background:#C2C2C2" align="center"|OWASP Top 10 Browser Wishlist.
-  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
+  | style="width:47%; background:#C2C2C2" align="center"|Successful. Top 10 browser security features identified.
   |-
   | style="width:7%; background:#7B8ABD" align="center"|
   | style="width:46%; background:#C2C2C2" align="center"|Actionable advice and technical arguments for HTML5 feature set.
-  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
+  | style="width:47%; background:#C2C2C2" align="center"|Unsuccessful. HTML5 was not discussed due to time constraints.
   |-
   | style="width:7%; background:#7B8ABD" align="center"|
   | style="width:46%; background:#C2C2C2" align="center"|Establish OWASP points-of-contact for W3C.
-  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
+  | style="width:47%; background:#C2C2C2" align="center"|Unsuccessful. W3C relationship was not discussed due to time constraints.
   |-
   | style="width:7%; background:#7B8ABD" align="center"|
-  | style="width:46%; background:#C2C2C2" align="center"|Fill in here.
+  | style="width:46%; background:#C2C2C2" align="center"|Understand vendor perspective
-  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
+ | style="width:47%; background:#C2C2C2" align="center"|Successful due to vendor insight from Peleus Uhley.
+ |-
+ | style="width:7%; background:#7B8ABD" align="center"|
+ | style="width:46%; background:#C2C2C2" align="center"|Identify top 3 risks to browsers
+  | style="width:47%; background:#C2C2C2" align="center"|Successful. A draft of an open letter to the browsers from the ISWG was created. Awaiting signing from security, industry and standards organizations before publishing.
+ |-
+ | style="width:7%; background:#7B8ABD" align="center"|
+ | style="width:46%; background:#C2C2C2" align="center"|Begin promotional activities
+ | style="width:47%; background:#C2C2C2" align="center"|Successful. Blog postings are planned, and talking points have been created.
   |}
 == Working Session Participants ==
-(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)
 {| style="width:100%" border="0" align="center"
   ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION PARTICIPANTS'''
- |-
- | style="width:7%; background:#7B8ABD" align="center"|
- | style="width:15%; background:#cccccc" align="center"|'''Name'''
- | style="width:15%; background:#cccccc" align="center"|'''Company'''
- | style="width:63%; background:#cccccc" align="center"|'''Notes & reason for participating, issues to be discussed/addressed'''
   |-
   | style="width:7%; background:#7B8ABD" align="center"|1
-  | style="width:15%; background:#cccccc" align="center"|Mario Heiderich
+  | style="width:15%; background:#cccccc" align="center"| Mario Heiderich
-  | style="width:15%; background:#cccccc" align="center"|Independent
+  | style="width:15%; background:#cccccc" align="center"| Independent
-  | style="width:63%; background:#cccccc" align="center"|General Expertise
+  | style="width:63%; background:#cccccc" align="center"| Participant
   |-
   | style="width:7%; background:#7B8ABD" align="center"|2
-  | style="width:15%; background:#cccccc" align="center"|Gareth Heyes
+  | style="width:15%; background:#cccccc" align="center"| Gareth Heyes
-  | style="width:15%; background:#cccccc" align="center"|Independent
+  | style="width:15%; background:#cccccc" align="center"| Independent
-  | style="width:63%; background:#cccccc" align="center"|General Expertise
+  | style="width:63%; background:#cccccc" align="center"| Participant
   |-
   | style="width:7%; background:#7B8ABD" align="center"|3
-  | style="width:15%; background:#cccccc" align="center"|Marcin Wielgoszewski
+  | style="width:15%; background:#cccccc" align="center"| Marcin Wielgoszewski
-  | style="width:15%; background:#cccccc" align="center"|Protiviti
+  | style="width:15%; background:#cccccc" align="center"| Protiviti
-  | style="width:63%; background:#cccccc" align="center"|Participant
+  | style="width:63%; background:#cccccc" align="center"| Participant
 |-
   | style="width:7%; background:#7B8ABD" align="center"|4
-  | style="width:15%; background:#cccccc" align="center"|Adam Baso
+  | style="width:15%; background:#cccccc" align="center"| Adam Baso
-  | style="width:15%; background:#cccccc" align="center"|Symantec
+  | style="width:15%; background:#cccccc" align="center"| Symantec
-  | style="width:63%; background:#cccccc" align="center"|Participant
+  | style="width:63%; background:#cccccc" align="center"| Participant
 |-
   | style="width:7%; background:#7B8ABD" align="center"|5
-  | style="width:15%; background:#cccccc" align="center"|
+  | style="width:15%; background:#cccccc" align="center"| Achim Hoffmann
-  | style="width:15%; background:#cccccc" align="center"|
+  | style="width:15%; background:#cccccc" align="center"| Independent
-  | style="width:63%; background:#cccccc" align="center"|
+  | style="width:63%; background:#cccccc" align="center"| Participant
 |-
   | style="width:7%; background:#7B8ABD" align="center"|6
-  | style="width:15%; background:#cccccc" align="center"|
+  | style="width:15%; background:#cccccc" align="center"| David Rook
-  | style="width:15%; background:#cccccc" align="center"|
+  | style="width:15%; background:#cccccc" align="center"| Realex Payments
-  | style="width:63%; background:#cccccc" align="center"|
+  | style="width:63%; background:#cccccc" align="center"| Participant
 |-
   | style="width:7%; background:#7B8ABD" align="center"|7
-  | style="width:15%; background:#cccccc" align="center"|
+  | style="width:15%; background:#cccccc" align="center"| Peleus Uhley
-  | style="width:15%; background:#cccccc" align="center"|
+  | style="width:15%; background:#cccccc" align="center"| Adobe Systems
-  | style="width:63%; background:#cccccc" align="center"|
+  | style="width:63%; background:#cccccc" align="center"| Participant
 |-
   | style="width:7%; background:#7B8ABD" align="center"|8
-  | style="width:15%; background:#cccccc" align="center"|
+  | style="width:15%; background:#cccccc" align="center"| Giorgio Fedon
-  | style="width:15%; background:#cccccc" align="center"|
+  | style="width:15%; background:#cccccc" align="center"| Minded Security
-  | style="width:63%; background:#cccccc" align="center"|
+  | style="width:63%; background:#cccccc" align="center"| Participant
 |-
   | style="width:7%; background:#7B8ABD" align="center"|9
-  | style="width:15%; background:#cccccc" align="center"|
+  | style="width:15%; background:#cccccc" align="center"| Esteban ribicic
-  | style="width:15%; background:#cccccc" align="center"|
+  | style="width:15%; background:#cccccc" align="center"| HP
-  | style="width:63%; background:#cccccc" align="center"|
+  | style="width:63%; background:#cccccc" align="center"| Participant
 |-
   | style="width:7%; background:#7B8ABD" align="center"|10
-  | style="width:15%; background:#cccccc" align="center"|
+  | style="width:15%; background:#cccccc" align="center"| Nishi Kumar
-  | style="width:15%; background:#cccccc" align="center"|
+  | style="width:15%; background:#cccccc" align="center"| Fidelity Nationals
-  | style="width:63%; background:#cccccc" align="center"|
+  | style="width:63%; background:#cccccc" align="center"| Participant
+|-
+ | style="width:7%; background:#7B8ABD" align="center"|11
+ | style="width:15%; background:#cccccc" align="center"| Alex Smolen
+ | style="width:15%; background:#cccccc" align="center"| Foundstone
+ | style="width:63%; background:#cccccc" align="center"| Participant
+|-
+ | style="width:7%; background:#7B8ABD" align="center"|12
+ | style="width:15%; background:#cccccc" align="center"| Tom Brennan
+ | style="width:15%; background:#cccccc" align="center"| WhiteHat Security
+ | style="width:63%; background:#cccccc" align="center"| Participant
+|-
+ | style="width:7%; background:#7B8ABD" align="center"|13
+ | style="width:15%; background:#cccccc" align="center"| Georg Hess
+ | style="width:15%; background:#cccccc" align="center"| Art of Defence
+ | style="width:63%; background:#cccccc" align="center"| Participant
+|-
+ | style="width:7%; background:#7B8ABD" align="center"|14
+ | style="width:15%; background:#cccccc" align="center"| Ljubibratic Gradimir
+ | style="width:15%; background:#cccccc" align="center"| Telecom Serbia
+ | style="width:63%; background:#cccccc" align="center"| Participant
+|-
+ | style="width:7%; background:#7B8ABD" align="center"|15
+ | style="width:15%; background:#cccccc" align="center"| Achim Hoffmann
+ | style="width:15%; background:#cccccc" align="center"| SecureNet
+ | style="width:63%; background:#cccccc" align="center"| Participant
+|-
+ | style="width:7%; background:#7B8ABD" align="center"|16
+ | style="width:15%; background:#cccccc" align="center"| Edgar Vasquez
+ | style="width:15%; background:#cccccc" align="center"| Softtek
+ | style="width:63%; background:#cccccc" align="center"| Participant
+|-
+ | style="width:7%; background:#7B8ABD" align="center"|17
+ | style="width:15%; background:#cccccc" align="center"|  Michael Coates
+ | style="width:15%; background:#cccccc" align="center"|  Aspect Security
+ | style="width:63%; background:#cccccc" align="center"|  Participant
+|-
+ | style="width:7%; background:#7B8ABD" align="center"|18
+ | style="width:15%; background:#cccccc" align="center"| David Campbell
+ | style="width:15%; background:#cccccc" align="center"| OWASP Denver
+ | style="width:63%; background:#cccccc" align="center"| Participant
+|-
+ | style="width:7%; background:#7B8ABD" align="center"|19
+ | style="width:15%; background:#cccccc" align="center"| Jeff Williams
+ | style="width:15%; background:#cccccc" align="center"| Aspect Security
+ | style="width:63%; background:#cccccc" align="center"| Participant
+|-
+ | style="width:7%; background:#7B8ABD" align="center"|20
+ | style="width:15%; background:#cccccc" align="center"| Kuai Hinojosa
+ | style="width:15%; background:#cccccc" align="center"| NYU
+ | style="width:63%; background:#cccccc" align="center"| Participant
   |}
+[[Category:OWASP_Working_Session]]

Difference between revisions of "OWASP Working Session - Browser Security"

Latest revision as of 19:17, 6 November 2008

Working Session Participants

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools