This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Industry:DPC BS 8878:2009

From OWASP
Revision as of 16:39, 21 January 2009 by Clerkendweller (talk | contribs) (New page)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Return to Global Industry Committee

ACTIVITY IDENTIFICATION
Activity Name DPC BS 8878:2009
Short Description Provide comment on "BS 8878:2009 Web accessibility. Building accessible experiences for disabled people" Draft for Public Comment (DPC)
Related Projects None
Email Contacts & Roles Primary
Colin Watson 		Secondary
Puneet Mehta 		Mailing list
None
ACTIVITY SPECIFICS
Objectives
  • Review DPC - in particular issues relating to web application security
  • Where appropriate, draft a response for submission
  • Submit the response as an official OWASP statement
Deadlines
  • TBC - Complete final draft response
  • TBC - Submit to OWASP Board for approval
  • 31 Jan 2009 - Submit to BSI British Standards
Resources Full DPC text

Response submission via drafts review system (registration required)


Submission Response

Latest first

Final version

TBC

Draft Text version 2

TBC

Draft Text version 1

'The format for providing feedback requires a comment and proposed change. As feedback is provided PER SECTION, we cannot assume anyone will read the feedback to other sections first i.e. each comment/change must stand on its own merits.'


0.2 Understanding accessible experiences

Comment: Web sites are fast becoming something we cannot live without, but it is insecure. User confidence is vital, and it does not matter what the skill, knowledge, experience or ability level a user has, we must develop web sites that are safe to use and do not create additional risks to the user.

Proposed change: In the sentence "The goal of any web project should be to create web experiences that are accessible, usable and enjoyable for everyone." add the word "safe" so that it reads "The goal of any web project should be to create web experiences that are accessible, usable, safe and enjoyable for everyone." This would necessitate an additional column in Table 1

Safe

The user's privacy, data and computer systems are not compromised while they accomplish their goals.

Examples

No malicious code was downloaded while downloading the web content

The user has confidence in the integrity of the information in the video

The audio description and video are available when the user requires

By changing browser settings or the type of user agent, the user should not be at greater risk than other users


5.3 The technology selection process

[I feel there should be an additional bullet point here relating to security, but can't think of a suitable one just yet]

Comment: ?

Proposed change: Add another bullet "??????" in "Ensuring your audience will be able to do the following with your web content:" after "understand it;"


6.3 User Agent Accessibility Guidelines (UAAG)

Comment: While the website should be usable in popular browsers, this is not sufficient for testing purposes. Developers/programmers needs to realise that people will try and access the content using "non-browser" tools to look for vulnerabilities and the website should be secure enough to protect users and itself from such threats. This requires testing beyond "popular browsers".

Proposed change: Add "Note 6 - The website must secure enough to protect itself and its users from security vulnerabilities which may not be apparent by limiting testing to 'a reasonable range of web browsers'. OWASP has produced a detailed testing guide http://www.owasp.org/index.php/Category:OWASP_Testing_Project"


Annex H (informative) Contracting web design and auditing services

Comment: [as 0.2?]

Proposed changes: In H.1.3 add another item "awareness of website security issues", in H.3.1 add another item "Will security implications be included in the testing?" and in H.3.2 add another item "Does the supplier use the OWASP Application Security Verification Standard to provide a level of confidence in the security of the project"


Bibliography - Useful web contents

Comment: OWASP has the most comprehensive resources available for specifying, designing, developing, testing and operating web applications. For example, the Top 10 project is referenced in the PCI Data Security Standard. http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Proposed change: Add "Open Web Application Security Project (OWASP) http://www.owasp.org"


Return to Global Industry Committee

Retrieved from "https://wiki.owasp.org/index.php?title=Industry:DPC_BS_8878:2009&oldid=51756"