This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Summit 2011 Working Sessions/Session003"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
<noinclude>{{:Category:Summit_2011_Browser_Security_Track}}</noinclude>
+
{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude>
<includeonly>{{Template:{{{1}}}
 
 
|-
 
|-
  
| summit_session_attendee_name1 =  
+
| summit_session_attendee_name1 = Email John Wilander if you are unable to edit the Wiki and would like to sign up!
| summit_session_attendee_email1 =  
+
| summit_session_attendee_email1 = [email protected]
 
| summit_session_attendee_company1=
 
| summit_session_attendee_company1=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=
  
| summit_session_attendee_name2 =  
+
| summit_session_attendee_name2 = Michael Coates
 
| summit_session_attendee_email2 =  
 
| summit_session_attendee_email2 =  
 
| summit_session_attendee_company2=
 
| summit_session_attendee_company2=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=
  
| summit_session_attendee_name3 =  
+
| summit_session_attendee_name3 = Colin Watson
 
| summit_session_attendee_email3 =  
 
| summit_session_attendee_email3 =  
 
| summit_session_attendee_company3=
 
| summit_session_attendee_company3=
Line 104: Line 103:
  
 
|-
 
|-
| summit_session_name = Securing Plugins
+
| summit_track_logo = [[Image:T._browser_security.jpg]]
 +
| summit_ws_logo = [[Image:WS._browser_security.jpg]]
 +
| summit_session_name = EcmaScript 5 Security
 
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session003
 
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session003
| mailing_list =
+
| mailing_list = https://groups.google.com/group/owasp-summit-browsersec
 
|-
 
|-
  
| short_working_session_description= Should browsers ship with default plugins? Should plugins be auto-updated? Can plugins or versions of plugins be blacklisted centrally?
+
| short_working_session_description=  
 
 
 
|-
 
|-
  
| related_project_name1 =  
+
| related_project_name1 = Browser Security Track - main page
| related_project_url_1 =  
+
| related_project_url_1 = http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track
  
| related_project_name2 =  
+
| related_project_name2 = Google Group for the Browser Security Track
| related_project_url_2 =  
+
| related_project_url_2 = https://groups.google.com/group/owasp-summit-browsersec
  
 
| related_project_name3 =  
 
| related_project_name3 =  
Line 130: Line 130:
 
|-
 
|-
  
| summit_session_objective_name1=  
+
| summit_session_objective_name1= '''Fix the problems with Object.defineProperty() and property unsealing / [https://bugzilla.mozilla.org/show_bug.cgi?id=588138 double-freezing]'''.<noinclude> Implement it if not yet done.</noinclude>
  
| summit_session_objective_name2 =  
+
| summit_session_objective_name2 = <noinclude>'''Goal I''': </noinclude> Raise awareness for the power or object freezing in a security context. <noinclude>ES5 can really make a change here.<noinclude>
  
| summit_session_objective_name3 =  
+
| summit_session_objective_name3 = <noinclude>'''Goal II''':</noinclude> Raise awareness in seeing the DOM as the place where XSS attacks actually take place - and where they should be prevented. <noinclude> CSP is a great yet still immature start - but worth discussing and extending. Discuss specification drafts for a secure DOM and easy to configure capability profiles with reasonable and quantitative proofs of concept.</noinclude>
  
| summit_session_objective_name4 =  
+
| summit_session_objective_name4 = '''Long Term Goal''': Discuss the possibility of vendor supported client side security mechanisms. <noinclude>Client side IDS/IPS based on ES5 can be possible - yet have to be designed and specified. </noinclude>
  
 
| summit_session_objective_name5 =   
 
| summit_session_objective_name5 =   
 
 
|-
 
|-
  
| working_session_date_and_time =  
+
| working_session_date_and_time = Tuesday, 09 February <br> Time: TBA
  
 
|-
 
|-
  
| discussion_model = participants and attendees
+
| discussion_model = The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.
  
 
|-
 
|-
Line 154: Line 153:
 
|-
 
|-
  
| working_session_additional_details =  
+
| working_session_additional_details = <br>
 +
 
 +
===Co-chair Mario Heiderich===
 +
Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.
 +
 
 +
===Co-chair 2===
 +
To be confirmed.
  
 
|-
 
|-
  
|summit_session_deliverable_name1 =  
+
|summit_session_deliverable_name1 = Browser Security Report
 
|summit_session_deliverable_url_1 =  
 
|summit_session_deliverable_url_1 =  
  
|summit_session_deliverable_name2 =  
+
|summit_session_deliverable_name2 = Browser Security Priority List
 
|summit_session_deliverable_url_2 =  
 
|summit_session_deliverable_url_2 =  
  
Line 175: Line 180:
 
|-
 
|-
  
| summit_session_leader_name1 =  
+
| summit_session_leader_name1 = Mario Heiderich
 
| summit_session_leader_email1 =  
 
| summit_session_leader_email1 =  
  
| summit_session_leader_name2 =  
+
| summit_session_leader_name2 = TBC
 
| summit_session_leader_email2 =  
 
| summit_session_leader_email2 =  
  
| summit_session_leader_name3 =  
+
| summit_session_leader_name3 =
 
| summit_session_leader_email3 =  
 
| summit_session_leader_email3 =  
  
 
|-
 
|-
  
| operational_leader_name1 =
+
| operational_leader_name1 = John Wilander
| operational_leader_email1 =
+
| operational_leader_email1 = [email protected]
  
 
|-
 
|-
 
 
| meeting_notes =  
 
| meeting_notes =  
 
 
|-
 
|-
 
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session003
 
| session_name_mask = <!--Please replace DO NOT EDIT this string --> Session003
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session003  
+
| session_home_page = <!--Please replace DO NOT EDIT this string --> Summit_2011_Working_Sessions/Session003
 
}}
 
}}
 +
</includeonly>

Revision as of 01:30, 25 January 2011

Global Summit 2011 Home Page
Global Summit 2011 Tracks

WS. browser security.jpg EcmaScript 5 Security
Please see/use the 'discussion' page for more details about this Working Session
Working Sessions Operational Rules - Please see here the general frame of rules.
WORKING SESSION IDENTIFICATION
Short Work Session Description
Related Projects (if any)


Email Contacts & Roles Chair
Mario Heiderich
TBC
 Operational Manager
John Wilander @ 		Mailing list
https://groups.google.com/group/owasp-summit-browsersec
WORKING SESSION SPECIFICS
Objectives
  1. Fix the problems with Object.defineProperty() and property unsealing / double-freezing. Implement it if not yet done.
  2. Goal I: Raise awareness for the power or object freezing in a security context. ES5 can really make a change here.
  3. Goal II: Raise awareness in seeing the DOM as the place where XSS attacks actually take place - and where they should be prevented. CSP is a great yet still immature start - but worth discussing and extending. Discuss specification drafts for a secure DOM and easy to configure capability profiles with reasonable and quantitative proofs of concept.
  4. Long Term Goal: Discuss the possibility of vendor supported client side security mechanisms. Client side IDS/IPS based on ES5 can be possible - yet have to be designed and specified.

Venue/Date&Time/Model Venue/Room
OWASP Global Summit Portugal 2011 		Date & Time
Tuesday, 09 February
Time: TBA


Discussion Model
The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.

WORKING SESSION OPERATIONAL RESOURCES
Projector, whiteboards, markers, Internet connectivity, power

WORKING SESSION ADDITIONAL DETAILS

Co-chair Mario Heiderich

Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the HTML5 security cheat-sheet and maintains the PHPIDS filter rules. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-' – a book on how an attacker would bypass different types of security controls including IDS/IPS.

Co-chair 2

To be confirmed.

WORKING SESSION OUTCOMES / DELIVERABLES
Proposed by Working Group Approved by OWASP Board

Browser Security Report

After the Board Meeting - fill in here.

Browser Security Priority List

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

{{{summit_session_deliverable_name6}}}

After the Board Meeting - fill in here.

{{{summit_session_deliverable_name7}}}

After the Board Meeting - fill in here.

{{{summit_session_deliverable_name8}}}

After the Board Meeting - fill in here.

Working Session Participants

(Add you name by clicking "edit" on the tab on the upper left side of this page)

WORKING SESSION PARTICIPANTS
Name Company Notes & reason for participating, issues to be discussed/addressed
Email John Wilander if you are unable to edit the Wiki and would like to sign up! @


Michael Coates


Colin Watson





















































</includeonly>

Retrieved from "https://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session003&oldid=101802"