ISWG Status 200811
The goals for November included publishing the working documents initially produced during the OWASP EU Summit working group sessions. Unfortunately, I was too busy this quarter to find the time to make those materials ready for public consumption. This is a priority goal for the December/January time period.
Another goal of the month of November was to clear up the group charter. After some thought, I think the charter of the group should be to:
1. Contribute our security knowledge towards standards organizations
2. Act as a consumer awareness group for web application frameworks security mechanisms and browser security features
3. Serve as a platform for OWASP members who want to affect change at any of the building blocks in today's or tomorrow's web applications
It's simple and limited, and I think that's all that we can really expect. Realistically, the browsers all have strong security teams dealing with today's problems, and I think there's a niche for OWASP to fill in looking at the future for them and the community.
Also, in November a discussion on the board between members led to the creation of a Google group aiming to create an HTTPOnly standard for browser makers to follow. We are now as a group making a first cut at a standard after some deliberation, and have been in discussion with some browser vendors for feedback. This is an extremely positive and global effect.
Finally, in November I participated in the ESAPI as a representative of the ISWG.
The goals of December/January include:
- Formalizing the documents from the EU Summit and publish them
- Follow up with HTTPOnly work