Difference between revisions of "OWASP Working Session - Browser Security"

From OWASP
Jump to: navigation, search
(Working Session Participants)
Line 133: Line 133:
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|1
 
  | style="width:7%; background:#7B8ABD" align="center"|1
  | style="width:15%; background:#cccccc" align="center"|Mario Heiderich
+
  | style="width:15%; background:#cccccc" align="center"| Mario Heiderich
  | style="width:15%; background:#cccccc" align="center"|Independent
+
  | style="width:15%; background:#cccccc" align="center"| Independent
  | style="width:63%; background:#cccccc" align="center"|General Expertise
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|2
 
  | style="width:7%; background:#7B8ABD" align="center"|2
  | style="width:15%; background:#cccccc" align="center"|Gareth Heyes
+
  | style="width:15%; background:#cccccc" align="center"| Gareth Heyes
  | style="width:15%; background:#cccccc" align="center"|Independent
+
  | style="width:15%; background:#cccccc" align="center"| Independent
  | style="width:63%; background:#cccccc" align="center"|General Expertise
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|3
 
  | style="width:7%; background:#7B8ABD" align="center"|3
  | style="width:15%; background:#cccccc" align="center"|Marcin Wielgoszewski
+
  | style="width:15%; background:#cccccc" align="center"| Marcin Wielgoszewski
  | style="width:15%; background:#cccccc" align="center"|Protiviti
+
  | style="width:15%; background:#cccccc" align="center"| Protiviti
  | style="width:63%; background:#cccccc" align="center"|Participant
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|4
 
  | style="width:7%; background:#7B8ABD" align="center"|4
  | style="width:15%; background:#cccccc" align="center"|Adam Baso
+
  | style="width:15%; background:#cccccc" align="center"| Adam Baso
  | style="width:15%; background:#cccccc" align="center"|Symantec
+
  | style="width:15%; background:#cccccc" align="center"| Symantec
  | style="width:63%; background:#cccccc" align="center"|Participant
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|5
 
  | style="width:7%; background:#7B8ABD" align="center"|5
  | style="width:15%; background:#cccccc" align="center"|Achim Hoffmann
+
  | style="width:15%; background:#cccccc" align="center"| Achim Hoffmann
  | style="width:15%; background:#cccccc" align="center"|Independent
+
  | style="width:15%; background:#cccccc" align="center"| Independent
  | style="width:63%; background:#cccccc" align="center"|Participant
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|6
 
  | style="width:7%; background:#7B8ABD" align="center"|6
  | style="width:15%; background:#cccccc" align="center"|David Rook
+
  | style="width:15%; background:#cccccc" align="center"| David Rook
  | style="width:15%; background:#cccccc" align="center"|Realex Payments  
+
  | style="width:15%; background:#cccccc" align="center"| Realex Payments  
  | style="width:63%; background:#cccccc" align="center"|General Expertise
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|7
 
  | style="width:7%; background:#7B8ABD" align="center"|7
  | style="width:15%; background:#cccccc" align="center"|Peleus Uhley
+
  | style="width:15%; background:#cccccc" align="center"| Peleus Uhley
  | style="width:15%; background:#cccccc" align="center"|Adobe Systems
+
  | style="width:15%; background:#cccccc" align="center"| Adobe Systems
  | style="width:63%; background:#cccccc" align="center"|General Expertise
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|8
 
  | style="width:7%; background:#7B8ABD" align="center"|8
  | style="width:15%; background:#cccccc" align="center"|Giorgio Fedon
+
  | style="width:15%; background:#cccccc" align="center"| Giorgio Fedon
  | style="width:15%; background:#cccccc" align="center"|Minded Security
+
  | style="width:15%; background:#cccccc" align="center"| Minded Security
  | style="width:63%; background:#cccccc" align="center"|Participant
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|9
 
  | style="width:7%; background:#7B8ABD" align="center"|9
  | style="width:15%; background:#cccccc" align="center"|Esteban ribicic
+
  | style="width:15%; background:#cccccc" align="center"| Esteban ribicic
  | style="width:15%; background:#cccccc" align="center"|HP
+
  | style="width:15%; background:#cccccc" align="center"| HP
  | style="width:63%; background:#cccccc" align="center"|Participant
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|10
 
  | style="width:7%; background:#7B8ABD" align="center"|10
  | style="width:15%; background:#cccccc" align="center"|Nishi Kumar
+
  | style="width:15%; background:#cccccc" align="center"| Nishi Kumar
  | style="width:15%; background:#cccccc" align="center"|Fidelity Nationals
+
  | style="width:15%; background:#cccccc" align="center"| Fidelity Nationals
  | style="width:63%; background:#cccccc" align="center"|General Expertise
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|11
 
  | style="width:7%; background:#7B8ABD" align="center"|11
  | style="width:15%; background:#cccccc" align="center"|Alex Smolen
+
  | style="width:15%; background:#cccccc" align="center"| Alex Smolen
  | style="width:15%; background:#cccccc" align="center"|Foundstone
+
  | style="width:15%; background:#cccccc" align="center"| Foundstone
  | style="width:63%; background:#cccccc" align="center"|General Expertise
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|12
 
  | style="width:7%; background:#7B8ABD" align="center"|12
 
  | style="width:15%; background:#cccccc" align="center"| Tom Brennan
 
  | style="width:15%; background:#cccccc" align="center"| Tom Brennan
 
  | style="width:15%; background:#cccccc" align="center"| WhiteHat Security
 
  | style="width:15%; background:#cccccc" align="center"| WhiteHat Security
  | style="width:63%; background:#cccccc" align="center"| General Expertise
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|13
 
  | style="width:7%; background:#7B8ABD" align="center"|13
 
  | style="width:15%; background:#cccccc" align="center"| Georg Hess
 
  | style="width:15%; background:#cccccc" align="center"| Georg Hess
  | style="width:15%; background:#cccccc" align="center"| art of defence
+
  | style="width:15%; background:#cccccc" align="center"| Art of Defence
  | style="width:63%; background:#cccccc" align="center"| General Expertise
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|14
 
  | style="width:7%; background:#7B8ABD" align="center"|14
 
  | style="width:15%; background:#cccccc" align="center"| Ljubibratic Gradimir
 
  | style="width:15%; background:#cccccc" align="center"| Ljubibratic Gradimir
 
  | style="width:15%; background:#cccccc" align="center"| Telecom Serbia
 
  | style="width:15%; background:#cccccc" align="center"| Telecom Serbia
  | style="width:63%; background:#cccccc" align="center"| General Expertise
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|15
 
  | style="width:7%; background:#7B8ABD" align="center"|15
 
  | style="width:15%; background:#cccccc" align="center"| Achim Hoffmann
 
  | style="width:15%; background:#cccccc" align="center"| Achim Hoffmann
 
  | style="width:15%; background:#cccccc" align="center"| SecureNet
 
  | style="width:15%; background:#cccccc" align="center"| SecureNet
  | style="width:63%; background:#cccccc" align="center"| General Expertise
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|16
 
  | style="width:7%; background:#7B8ABD" align="center"|16
  | style="width:15%; background:#cccccc" align="center"| edgar vasquez
+
  | style="width:15%; background:#cccccc" align="center"| Edgar Vasquez
 
  | style="width:15%; background:#cccccc" align="center"| Softtek
 
  | style="width:15%; background:#cccccc" align="center"| Softtek
  | style="width:63%; background:#cccccc" align="center"| General Expertise
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|17
 
  | style="width:7%; background:#7B8ABD" align="center"|17
 
  | style="width:15%; background:#cccccc" align="center"|  Michael Coates
 
  | style="width:15%; background:#cccccc" align="center"|  Michael Coates
 
  | style="width:15%; background:#cccccc" align="center"|  Aspect Security
 
  | style="width:15%; background:#cccccc" align="center"|  Aspect Security
  | style="width:63%; background:#cccccc" align="center"|  General Expertise
+
  | style="width:63%; background:#cccccc" align="center"|  Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|18
 
  | style="width:7%; background:#7B8ABD" align="center"|18
 
  | style="width:15%; background:#cccccc" align="center"| David Campbell
 
  | style="width:15%; background:#cccccc" align="center"| David Campbell
 
  | style="width:15%; background:#cccccc" align="center"| OWASP Denver
 
  | style="width:15%; background:#cccccc" align="center"| OWASP Denver
  | style="width:63%; background:#cccccc" align="center"| General Expertise
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|19
 
  | style="width:7%; background:#7B8ABD" align="center"|19
 
  | style="width:15%; background:#cccccc" align="center"| Jeff Williams
 
  | style="width:15%; background:#cccccc" align="center"| Jeff Williams
 
  | style="width:15%; background:#cccccc" align="center"| Aspect Security
 
  | style="width:15%; background:#cccccc" align="center"| Aspect Security
  | style="width:63%; background:#cccccc" align="center"| General Expertise
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|20
 
  | style="width:7%; background:#7B8ABD" align="center"|20
 
  | style="width:15%; background:#cccccc" align="center"| Kuai Hinojosa
 
  | style="width:15%; background:#cccccc" align="center"| Kuai Hinojosa
 
  | style="width:15%; background:#cccccc" align="center"| NYU
 
  | style="width:15%; background:#cccccc" align="center"| NYU
  | style="width:63%; background:#cccccc" align="center"| General Expertise
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
  |}
 
  |}
  
 
[[Category:OWASP_Working_Session]]
 
[[Category:OWASP_Working_Session]]

Revision as of 08:05, 4 November 2008

Working Sessions Operational Rules - Please see here the general frame of rules.
WORKING SESSION IDENTIFICATION
Work Session Name ISWG Browser Security
Short Work Session Description Brainstorming on how to introduce more useful security into our browsers
Related Projects (if any)

OWASP ISWG (Intrinsic Security Working Group) = OWASP Intrinsic Security Working Group - Browser Security

Email Contacts & Roles Chair
Arshan Dabirsiaghi
Secretary
Kuai Hinojosa
Mailing list
Subscription Page
WORKING SESSION SPECIFICS
Objectives
  • Discuss ongoing HTML5 security research,
  • Discuss further ramifications of HTML5 (cross-site XHR, Access-Control, client storage, etc.),
  • Take a look at security critical areas and discuss possible browser improvements.
Venue/Date&Time/Model Venue
OWASP EU Summit Portugal 2008
Date&Time
November 4, 2008
8:30
Discussion Model
Everybody is a Participant
WORKING SESSION OPERATIONAL RESOURCES
Projector, whiteboards, markers, Internet connectivity, power
WORKING SESSION ADDITIONAL DETAILS
  • Browsers to invite: IE, FF, Safari, Opera and Chrome.
  • Agenda:

- Time: 30 mins Introduction

- Time: 2 hrs 00 mins Identify and generate advice on short term issues with relatively low impact on adoption and site-breakage Analyze security feature matrix and compare browser features

- Time: 2 hrs 30 mins Address issues in the current HTML5 specifications

- Time: 3 hrs 30 mins Long term: General policy enforcement (NoScript as a model for browsers?) Long term: JavaScript policy-driven sandboxing

- Remaining time:

Identify 5 Key Browser Risks and select the top 3, Build a proposal to target key players in the industry and ask for their support Confirm point leads, roles and responsibilities

Related resources:

WORKING SESSION OUTCOMES
Statements, Initiatives or Decisions Proposed by Working Group Approved by OWASP Board
OWASP Top 10 Browser Wishlist. After the Board Meeting - fill in here.
Actionable advice and technical arguments for HTML5 feature set. After the Board Meeting - fill in here.
Establish OWASP points-of-contact for W3C. After the Board Meeting - fill in here.
Fill in here. After the Board Meeting - fill in here.

Working Session Participants

(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)

WORKING SESSION PARTICIPANTS
Name Company Notes & reason for participating, issues to be discussed/addressed
- TDB
(Officially Invited by OWASP)
GetOpenContent_002.png Official Representative from Microsoft's IE team
- TDB
(Officially Invited by OWASP)
product-firefox-50.png Official Representative from Mozilla Foundation's Firefox team
- TDB
(Officially Invited by OWASP)
43px-Opera_O.png Official Representative from Opera's team
- TDB
(Officially Invited by OWASP)
safarirss.gif Official Representative from Apple's Safari team
- TDB
(Officially Invited by OWASP)
chrome.gif Official Representative from Google's Chrome team
1 Mario Heiderich Independent Participant
2 Gareth Heyes Independent Participant
3 Marcin Wielgoszewski Protiviti Participant
4 Adam Baso Symantec Participant
5 Achim Hoffmann Independent Participant
6 David Rook Realex Payments Participant
7 Peleus Uhley Adobe Systems Participant
8 Giorgio Fedon Minded Security Participant
9 Esteban ribicic HP Participant
10 Nishi Kumar Fidelity Nationals Participant
11 Alex Smolen Foundstone Participant
12 Tom Brennan WhiteHat Security Participant
13 Georg Hess Art of Defence Participant
14 Ljubibratic Gradimir Telecom Serbia Participant
15 Achim Hoffmann SecureNet Participant
16 Edgar Vasquez Softtek Participant
17 Michael Coates Aspect Security Participant
18 David Campbell OWASP Denver Participant
19 Jeff Williams Aspect Security Participant
20 Kuai Hinojosa NYU Participant