Difference between revisions of "OWASP Working Session - Browser Security"

From OWASP
Jump to: navigation, search
(listing outcomes)
 
(29 intermediate revisions by 12 users not shown)
Line 6: Line 6:
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''
  | colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">'''Browser Security'''
+
  | colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">'''ISWG Browser Security'''
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description'''  
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description'''  
  | colspan="6" style="width:85%; background:#cccccc" align="left"|TBD
+
  | colspan="6" style="width:85%; background:#cccccc" align="left"|Brainstorming on how to introduce more useful security into our browsers
 
  |-
 
  |-
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)'''  
 
  | style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)'''  
 
  | colspan="6" style="width:85%; background:#cccccc" align="left"|
 
  | colspan="6" style="width:85%; background:#cccccc" align="left"|
OWASP Working Group - Browser Security
+
OWASP ISWG (Intrinsic Security Working Group) = OWASP Intrinsic Security Working Group - Browser Security
 
  |-
 
  |-
 
  | style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
 
  | style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
 
  | style="width:25%; background:#cccccc" align="center"|'''Chair'''<br>[mailto:arshan.dabirsiaghi(at)aspectsecurity.com '''Arshan Dabirsiaghi''']  
 
  | style="width:25%; background:#cccccc" align="center"|'''Chair'''<br>[mailto:arshan.dabirsiaghi(at)aspectsecurity.com '''Arshan Dabirsiaghi''']  
  | style="width:25%; background:#cccccc" align="center"|'''Secretary'''<br>[mailto:name(at)name '''TBD''']
+
  | style="width:25%; background:#cccccc" align="center"|'''Secretary'''<br>[mailto:kuai.hinojosa(at)owasp.org '''Kuai Hinojosa''']
  | style="width:25%; background:#cccccc" align="center"|'''Mailing list'''<br>[https://lists.owasp.org/mailman/listinfo/owasp-education '''Subscription Page''']
+
  | style="width:25%; background:#cccccc" align="center"|'''Mailing list'''<br>[https://lists.owasp.org/mailman/listinfo/owasp-browser-security-wg '''Subscription Page''']
 
  |}
 
  |}
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
Line 25: Line 25:
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''
 
  | style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''
 
  | colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">
 
  | colspan="6" style="width:85%; background:#cccccc" align="left"|<font color="black">
* How to improve knowledge transfer from OWASP projects towards the community,
+
* Discuss ongoing HTML5 security research,
* How to create training material (lessons, classes, courses) from OWASP project material?
+
* Discuss further ramifications of HTML5 (cross-site XHR, Access-Control, client storage, etc.),
* How to set up an OWASP education baseline,
+
* Take a look at security critical areas and discuss possible browser improvements.
* How to setup an OWASP Boot Camp,
+
* How to connect to organisation to promote OWASP education content: e.g. universities, other non-profit (or profit?) education organisations,
+
* How to organize the OWASP / Conference trainings to make them the best in the world?
+
* Can we integrate this into OWASP certification projects?
+
* How to setup an OWASP Boot Camp?
+
* How to create lessons, classes, courses from OWASP project material?
+
 
  |-
 
  |-
 
  | style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''
 
  | style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''
 
  | style="width:25%; background:#cccccc" align="center"|'''Venue'''<br>[[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]]  
 
  | style="width:25%; background:#cccccc" align="center"|'''Venue'''<br>[[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]]  
  | style="width:25%; background:#cccccc" align="center"|'''Date&Time'''<br>November 5, 2008 <br>Time TBD
+
  | style="width:25%; background:#cccccc" align="center"|'''Date&Time'''<br>November 4, 2008 <br>8:30
  | style="width:25%; background:#cccccc" align="center"|'''Discussion Model'''<br>"Everybody is a Participant"
+
  | style="width:25%; background:#cccccc" align="center"|'''Discussion Model'''<br>Everybody is a Participant
 
  |}
 
  |}
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
Line 47: Line 41:
 
  ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION OPERATIONAL RESOURCES'''  
 
  ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION OPERATIONAL RESOURCES'''  
 
  |-
 
  |-
  | style="width:100%; background:#cccccc" align="center"|Please add here, ASAP, any needed relevant resources, e.g. data-show, boards, laptops, etc.
+
  | style="width:100%; background:#cccccc" align="center"|Projector, whiteboards, markers, Internet connectivity, power
 
  |}
 
  |}
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
Line 55: Line 49:
 
  ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION ADDITIONAL DETAILS'''  
 
  ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION ADDITIONAL DETAILS'''  
 
  |-
 
  |-
  | style="width:100%; background:#cccccc" align="left"|There is plenty of knowledge available inside the OWASP community. This is spread via the OWASP AppSec Conferences and the local chapter meetings, not to forget the books available now. Another, very important way to distribute the available knowledge is to teach! In plenty presentations knowledge is put into slides to share it. The next step is to reuse the information of those presentations and create training material. In a Boot Camp for example, it's not only about telling how to break stuff, but let the attendees break it themselves. Also let them fix the problems, with guidance of the experienced!
+
  | style="width:100%; background:#cccccc" align="left"|
 +
* '''Browsers to invite''': IE, FF, Safari, Opera and Chrome.
 +
* '''Agenda''':
 +
- Time: 30 mins
 +
Introduction
 +
 
 +
- Time: 2 hrs 00 mins
 +
Identify and generate advice on short term issues with relatively low impact on adoption and site-breakage
 +
Analyze security feature matrix and compare browser features
 +
 
 +
- Time: 2 hrs 30 mins
 +
Address issues in the current HTML5 specifications
 +
 
 +
- Time: 3 hrs 30 mins
 +
Long term: General policy enforcement (NoScript as a model for browsers?)
 +
Long term: JavaScript policy-driven sandboxing
 +
 
 +
- Remaining time:
 +
 
 +
Identify 5 Key Browser Risks and select the top 3, Build a proposal to target key players in the industry and ask for their support
 +
Confirm point leads, roles and responsibilities
 +
 
 +
'''Related resources:'''
 +
* [[OWASP_Working_Session_-_Browser_Security_Letters]]
 
  |}
 
  |}
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
Line 65: Line 82:
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|
 
  | style="width:7%; background:#7B8ABD" align="center"|
  | style="width:46%; background:#C2C2C2" align="center"|Educational Support on Winter of Code 2008.  
+
  | style="width:46%; background:#C2C2C2" align="center"|OWASP Top 10 Browser Wishlist.  
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
+
  | style="width:47%; background:#C2C2C2" align="center"|Successful. Top 10 browser security features identified.
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|
 
  | style="width:7%; background:#7B8ABD" align="center"|
  | style="width:46%; background:#C2C2C2" align="center"|Guildeline about creating training material.  
+
  | style="width:46%; background:#C2C2C2" align="center"|Actionable advice and technical arguments for HTML5 feature set.  
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
+
  | style="width:47%; background:#C2C2C2" align="center"|Unsuccessful. HTML5 was not discussed due to time constraints.
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|
 
  | style="width:7%; background:#7B8ABD" align="center"|
  | style="width:46%; background:#C2C2C2" align="center"|Fill in here.
+
  | style="width:46%; background:#C2C2C2" align="center"|Establish OWASP points-of-contact for W3C.  
  | style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.  
+
  | style="width:47%; background:#C2C2C2" align="center"|Unsuccessful. W3C relationship was not discussed due to time constraints.
  |}
+
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|
 +
| style="width:46%; background:#C2C2C2" align="center"|Understand vendor perspective
 +
| style="width:47%; background:#C2C2C2" align="center"|Successful due to vendor insight from Peleus Uhley.
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|
 +
| style="width:46%; background:#C2C2C2" align="center"|Identify top 3 risks to browsers
 +
| style="width:47%; background:#C2C2C2" align="center"|Successful. A draft of an open letter to the browsers from the ISWG was created. Awaiting signing from security, industry and standards organizations before publishing.
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|
 +
| style="width:46%; background:#C2C2C2" align="center"|Begin promotional activities
 +
| style="width:47%; background:#C2C2C2" align="center"|Successful. Blog postings are planned, and talking points have been created.  
 +
|}
 
== Working Session Participants ==
 
== Working Session Participants ==
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)
 
 
{| style="width:100%" border="0" align="center"
 
{| style="width:100%" border="0" align="center"
 
  ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION PARTICIPANTS'''  
 
  ! colspan="7" align="center" style="background:#4058A0; color:white"|<font color="white">'''WORKING SESSION PARTICIPANTS'''  
|-
 
| style="width:7%; background:#7B8ABD" align="center"|
 
| style="width:15%; background:#cccccc" align="center"|'''Name'''
 
| style="width:15%; background:#cccccc" align="center"|'''Company'''
 
| style="width:63%; background:#cccccc" align="center"|'''Notes & reason for participating, issues to be discussed/addressed'''
 
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|1
 
  | style="width:7%; background:#7B8ABD" align="center"|1
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Mario Heiderich
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Independent
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|2
 
  | style="width:7%; background:#7B8ABD" align="center"|2
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Gareth Heyes
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Independent
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
  |-
 
  |-
 
  | style="width:7%; background:#7B8ABD" align="center"|3
 
  | style="width:7%; background:#7B8ABD" align="center"|3
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Marcin Wielgoszewski
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Protiviti
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|4
 
  | style="width:7%; background:#7B8ABD" align="center"|4
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Adam Baso
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Symantec
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|5
 
  | style="width:7%; background:#7B8ABD" align="center"|5
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Achim Hoffmann
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Independent
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|6
 
  | style="width:7%; background:#7B8ABD" align="center"|6
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| David Rook
  | style="width:15%; background:#cccccc" align="center"|  
+
  | style="width:15%; background:#cccccc" align="center"| Realex Payments
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|7
 
  | style="width:7%; background:#7B8ABD" align="center"|7
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Peleus Uhley
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Adobe Systems
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|8
 
  | style="width:7%; background:#7B8ABD" align="center"|8
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Giorgio Fedon
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Minded Security
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|9
 
  | style="width:7%; background:#7B8ABD" align="center"|9
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Esteban ribicic
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| HP
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 
|-
 
|-
 
  | style="width:7%; background:#7B8ABD" align="center"|10
 
  | style="width:7%; background:#7B8ABD" align="center"|10
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Nishi Kumar
  | style="width:15%; background:#cccccc" align="center"|
+
  | style="width:15%; background:#cccccc" align="center"| Fidelity Nationals
  | style="width:63%; background:#cccccc" align="center"|
+
  | style="width:63%; background:#cccccc" align="center"| Participant
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|11
 +
| style="width:15%; background:#cccccc" align="center"| Alex Smolen
 +
| style="width:15%; background:#cccccc" align="center"| Foundstone
 +
| style="width:63%; background:#cccccc" align="center"| Participant
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|12
 +
| style="width:15%; background:#cccccc" align="center"| Tom Brennan
 +
| style="width:15%; background:#cccccc" align="center"| WhiteHat Security
 +
| style="width:63%; background:#cccccc" align="center"| Participant
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|13
 +
| style="width:15%; background:#cccccc" align="center"| Georg Hess
 +
| style="width:15%; background:#cccccc" align="center"| Art of Defence
 +
| style="width:63%; background:#cccccc" align="center"| Participant
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|14
 +
| style="width:15%; background:#cccccc" align="center"| Ljubibratic Gradimir
 +
| style="width:15%; background:#cccccc" align="center"| Telecom Serbia
 +
| style="width:63%; background:#cccccc" align="center"| Participant
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|15
 +
| style="width:15%; background:#cccccc" align="center"| Achim Hoffmann
 +
| style="width:15%; background:#cccccc" align="center"| SecureNet
 +
| style="width:63%; background:#cccccc" align="center"| Participant
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|16
 +
| style="width:15%; background:#cccccc" align="center"| Edgar Vasquez
 +
| style="width:15%; background:#cccccc" align="center"| Softtek
 +
| style="width:63%; background:#cccccc" align="center"| Participant
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|17
 +
| style="width:15%; background:#cccccc" align="center"|  Michael Coates
 +
| style="width:15%; background:#cccccc" align="center"|  Aspect Security
 +
| style="width:63%; background:#cccccc" align="center"|  Participant
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|18
 +
| style="width:15%; background:#cccccc" align="center"| David Campbell
 +
| style="width:15%; background:#cccccc" align="center"| OWASP Denver
 +
| style="width:63%; background:#cccccc" align="center"| Participant
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|19
 +
| style="width:15%; background:#cccccc" align="center"| Jeff Williams
 +
| style="width:15%; background:#cccccc" align="center"| Aspect Security
 +
| style="width:63%; background:#cccccc" align="center"| Participant
 +
|-
 +
| style="width:7%; background:#7B8ABD" align="center"|20
 +
| style="width:15%; background:#cccccc" align="center"| Kuai Hinojosa
 +
| style="width:15%; background:#cccccc" align="center"| NYU
 +
| style="width:63%; background:#cccccc" align="center"| Participant
 
  |}
 
  |}
If needed add here more lines.
+
 
 +
[[Category:OWASP_Working_Session]]

Latest revision as of 14:17, 6 November 2008

Working Sessions Operational Rules - Please see here the general frame of rules.
WORKING SESSION IDENTIFICATION
Work Session Name ISWG Browser Security
Short Work Session Description Brainstorming on how to introduce more useful security into our browsers
Related Projects (if any)

OWASP ISWG (Intrinsic Security Working Group) = OWASP Intrinsic Security Working Group - Browser Security

Email Contacts & Roles Chair
Arshan Dabirsiaghi
Secretary
Kuai Hinojosa
Mailing list
Subscription Page
WORKING SESSION SPECIFICS
Objectives
  • Discuss ongoing HTML5 security research,
  • Discuss further ramifications of HTML5 (cross-site XHR, Access-Control, client storage, etc.),
  • Take a look at security critical areas and discuss possible browser improvements.
Venue/Date&Time/Model Venue
OWASP EU Summit Portugal 2008
Date&Time
November 4, 2008
8:30
Discussion Model
Everybody is a Participant
WORKING SESSION OPERATIONAL RESOURCES
Projector, whiteboards, markers, Internet connectivity, power
WORKING SESSION ADDITIONAL DETAILS
  • Browsers to invite: IE, FF, Safari, Opera and Chrome.
  • Agenda:

- Time: 30 mins Introduction

- Time: 2 hrs 00 mins Identify and generate advice on short term issues with relatively low impact on adoption and site-breakage Analyze security feature matrix and compare browser features

- Time: 2 hrs 30 mins Address issues in the current HTML5 specifications

- Time: 3 hrs 30 mins Long term: General policy enforcement (NoScript as a model for browsers?) Long term: JavaScript policy-driven sandboxing

- Remaining time:

Identify 5 Key Browser Risks and select the top 3, Build a proposal to target key players in the industry and ask for their support Confirm point leads, roles and responsibilities

Related resources:

WORKING SESSION OUTCOMES
Statements, Initiatives or Decisions Proposed by Working Group Approved by OWASP Board
OWASP Top 10 Browser Wishlist. Successful. Top 10 browser security features identified.
Actionable advice and technical arguments for HTML5 feature set. Unsuccessful. HTML5 was not discussed due to time constraints.
Establish OWASP points-of-contact for W3C. Unsuccessful. W3C relationship was not discussed due to time constraints.
Understand vendor perspective Successful due to vendor insight from Peleus Uhley.
Identify top 3 risks to browsers Successful. A draft of an open letter to the browsers from the ISWG was created. Awaiting signing from security, industry and standards organizations before publishing.
Begin promotional activities Successful. Blog postings are planned, and talking points have been created.

Working Session Participants

WORKING SESSION PARTICIPANTS
1 Mario Heiderich Independent Participant
2 Gareth Heyes Independent Participant
3 Marcin Wielgoszewski Protiviti Participant
4 Adam Baso Symantec Participant
5 Achim Hoffmann Independent Participant
6 David Rook Realex Payments Participant
7 Peleus Uhley Adobe Systems Participant
8 Giorgio Fedon Minded Security Participant
9 Esteban ribicic HP Participant
10 Nishi Kumar Fidelity Nationals Participant
11 Alex Smolen Foundstone Participant
12 Tom Brennan WhiteHat Security Participant
13 Georg Hess Art of Defence Participant
14 Ljubibratic Gradimir Telecom Serbia Participant
15 Achim Hoffmann SecureNet Participant
16 Edgar Vasquez Softtek Participant
17 Michael Coates Aspect Security Participant
18 David Campbell OWASP Denver Participant
19 Jeff Williams Aspect Security Participant
20 Kuai Hinojosa NYU Participant