Industry:DPC BS 8878:2009

Return to Global Industry Committee

Submission Response
Latest first

Final version
TBC

Draft Text version 2
TBC

Draft Text version 1
'The format for providing feedback requires a comment and proposed change. As feedback is provided PER SECTION, we cannot assume anyone will read the feedback to other sections first i.e. each comment/change must stand on its own merits.'

0.2 Understanding accessible experiences

Comment: Web sites are fast becoming something we cannot live without, but it is insecure. User confidence is vital, and it does not matter what the skill, knowledge, experience or ability level a user has, we must develop web sites that are safe to use and do not create additional risks to the user.

Proposed change: In the sentence "The goal of any web project should be to create web experiences that are accessible, usable and enjoyable for everyone." add the word "safe" so that it reads "The goal of any web project should be to create web experiences that are accessible, usable, safe and enjoyable for everyone." This would necessitate an additional column in Table 1

Safe

The user's privacy, data and computer systems are not compromised while they accomplish their goals.

Examples

No malicious code was downloaded while downloading the web content

The user has confidence in the integrity of the information in the video

The audio description and video are available when the user requires

By changing browser settings or the type of user agent, the user should not be at greater risk than other users

5.3 The technology selection process

[I feel there should be an additional bullet point here relating to security, but can't think of a suitable one just yet]

Comment: ?

Proposed change: Add another bullet "??????" in "Ensuring your audience will be able to do the following with your web content:" after "understand it;"

6.3 User Agent Accessibility Guidelines (UAAG) --

Comment: While the website should be usable in popular browsers, this is not sufficient for testing purposes. Developers/programmers needs to realise that people will try and access the content using "non-browser" tools to look for vulnerabilities and the website should be secure enough to protect users and itself from such threats. This requires testing beyond "popular browsers".

Proposed change: Add "Note 6 - The website must secure enough to protect itself and its users from security vulnerabilities which may not be apparent by limiting testing to 'a reasonable range of web browsers'. OWASP has produced a detailed testing guide http://www.owasp.org/index.php/Category:OWASP_Testing_Project"

Annex H (informative) Contracting web design and auditing services --

Comment: [as 0.2?]

Proposed changes: In H.1.3 add another item "awareness of website security issues", in H.3.1 add another item "Will security implications be included in the testing?" and in H.3.2 add another item "Does the supplier use the OWASP Application Security Verification Standard to provide a level of confidence in the security of the project"

Bibliography - Useful web contents --

Comment: OWASP has the most comprehensive resources available for specifying, designing, developing, testing and operating web applications. For example, the Top 10 project is referenced in the PCI Data Security Standard. http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Proposed change: Add "Open Web Application Security Project (OWASP) http://www.owasp.org"

Return to Global Industry Committee