Difference between revisions of "Summit 2011 Working Sessions/Session001"

From OWASP
Jump to: navigation, search
(removing the dr. per his request :P)
 
(26 intermediate revisions by 10 users not shown)
Line 1: Line 1:
<noinclude>#REDIRECT [[Category:Summit_2011_Browser_Security_Track]]</noinclude>
+
{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude>
<includeonly>{{Template:{{{1}}}
+
 
|-
 
|-
  
| summit_session_attendee_name1 = John Wilander
+
| summit_session_attendee_name1 = Email John Wilander if you are unable to edit the Wiki and would like to sign up!
| summit_session_attendee_email1 =  
+
| summit_session_attendee_email1 = john.wilander@owasp.org
 +
| summit_session_attendee_username1 =  
 
| summit_session_attendee_company1=
 
| summit_session_attendee_company1=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=
Line 10: Line 10:
 
| summit_session_attendee_name2 = Michael Coates
 
| summit_session_attendee_name2 = Michael Coates
 
| summit_session_attendee_email2 =  
 
| summit_session_attendee_email2 =  
 +
| summit_session_attendee_username2 =
 
| summit_session_attendee_company2=
 
| summit_session_attendee_company2=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=
  
| summit_session_attendee_name3 =  
+
| summit_session_attendee_name3 = Eduardo Vela
| summit_session_attendee_email3 =  
+
| summit_session_attendee_email3 = evn@google.com
| summit_session_attendee_company3=
+
| summit_session_attendee_username3 = EduardoVela
 +
| summit_session_attendee_company3= Google
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=
  
| summit_session_attendee_name4 =  
+
| summit_session_attendee_name4 = Stefano Di Paola
 
| summit_session_attendee_email4 =  
 
| summit_session_attendee_email4 =  
 +
| summit_session_attendee_username4 =
 
| summit_session_attendee_company4=
 
| summit_session_attendee_company4=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=
  
| summit_session_attendee_name5 =  
+
| summit_session_attendee_name5 = Isaac Dawson
 
| summit_session_attendee_email5 =  
 
| summit_session_attendee_email5 =  
| summit_session_attendee_company5=
+
| summit_session_attendee_username5 =
 +
| summit_session_attendee_company5= Veracode
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=
  
| summit_session_attendee_name6 =  
+
| summit_session_attendee_name6 = Chris Eng
| summit_session_attendee_email6 =  
+
| summit_session_attendee_email6 = ceng@veracode.com
| summit_session_attendee_company6=
+
| summit_session_attendee_username6 =  
 +
| summit_session_attendee_company6= Veracode
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=
  
| summit_session_attendee_name7 =  
+
| summit_session_attendee_name7 = Alexandre Miguel Aniceto
| summit_session_attendee_email7 =  
+
| summit_session_attendee_email7 = alexandre.aniceto@sekirite.org
| summit_session_attendee_company7=
+
| summit_session_attendee_username7 = Alexandre Miguel Aniceto
 +
| summit_session_attendee_company7= Willway
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=
  
 
| summit_session_attendee_name8 =  
 
| summit_session_attendee_name8 =  
 
| summit_session_attendee_email8 =  
 
| summit_session_attendee_email8 =  
 +
| summit_session_attendee_username8 =
 
| summit_session_attendee_company8=
 
| summit_session_attendee_company8=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=
Line 45: Line 52:
 
| summit_session_attendee_name9 =  
 
| summit_session_attendee_name9 =  
 
| summit_session_attendee_email9 =  
 
| summit_session_attendee_email9 =  
 +
| summit_session_attendee_username9 =
 
| summit_session_attendee_company9=
 
| summit_session_attendee_company9=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=
Line 50: Line 58:
 
| summit_session_attendee_name10 =  
 
| summit_session_attendee_name10 =  
 
| summit_session_attendee_email10 =  
 
| summit_session_attendee_email10 =  
 +
| summit_session_attendee_username10 =
 
| summit_session_attendee_company10=
 
| summit_session_attendee_company10=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=
Line 55: Line 64:
 
| summit_session_attendee_name11 =  
 
| summit_session_attendee_name11 =  
 
| summit_session_attendee_email11 =  
 
| summit_session_attendee_email11 =  
 +
| summit_session_attendee_username11 =
 
| summit_session_attendee_company11=
 
| summit_session_attendee_company11=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=
Line 60: Line 70:
 
| summit_session_attendee_name12 =  
 
| summit_session_attendee_name12 =  
 
| summit_session_attendee_email12 =  
 
| summit_session_attendee_email12 =  
 +
| summit_session_attendee_username12 =
 
| summit_session_attendee_company12=
 
| summit_session_attendee_company12=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=
Line 65: Line 76:
 
| summit_session_attendee_name13 =  
 
| summit_session_attendee_name13 =  
 
| summit_session_attendee_email13 =  
 
| summit_session_attendee_email13 =  
 +
| summit_session_attendee_username13 =
 
| summit_session_attendee_company13=
 
| summit_session_attendee_company13=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=
Line 70: Line 82:
 
| summit_session_attendee_name14 =  
 
| summit_session_attendee_name14 =  
 
| summit_session_attendee_email14 =  
 
| summit_session_attendee_email14 =  
 +
| summit_session_attendee_username14 =
 
| summit_session_attendee_company14=
 
| summit_session_attendee_company14=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=  
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=  
Line 75: Line 88:
 
| summit_session_attendee_name15 =  
 
| summit_session_attendee_name15 =  
 
| summit_session_attendee_email15 =  
 
| summit_session_attendee_email15 =  
 +
| summit_session_attendee_username15 =
 
| summit_session_attendee_company15=
 
| summit_session_attendee_company15=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=
Line 80: Line 94:
 
| summit_session_attendee_name16 =  
 
| summit_session_attendee_name16 =  
 
| summit_session_attendee_email16 =  
 
| summit_session_attendee_email16 =  
 +
| summit_session_attendee_username16 =
 
| summit_session_attendee_company16=
 
| summit_session_attendee_company16=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=
Line 85: Line 100:
 
| summit_session_attendee_name17 =  
 
| summit_session_attendee_name17 =  
 
| summit_session_attendee_email17 =  
 
| summit_session_attendee_email17 =  
 +
| summit_session_attendee_username17 =
 
| summit_session_attendee_company17=
 
| summit_session_attendee_company17=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=
Line 90: Line 106:
 
| summit_session_attendee_name18 =  
 
| summit_session_attendee_name18 =  
 
| summit_session_attendee_email18 =  
 
| summit_session_attendee_email18 =  
 +
| summit_session_attendee_username18 =
 
| summit_session_attendee_company18=
 
| summit_session_attendee_company18=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=
Line 95: Line 112:
 
| summit_session_attendee_name19 =  
 
| summit_session_attendee_name19 =  
 
| summit_session_attendee_email19 =  
 
| summit_session_attendee_email19 =  
 +
| summit_session_attendee_username19 =
 
| summit_session_attendee_company19=
 
| summit_session_attendee_company19=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=
Line 100: Line 118:
 
| summit_session_attendee_name20 =  
 
| summit_session_attendee_name20 =  
 
| summit_session_attendee_email20 =  
 
| summit_session_attendee_email20 =  
 +
| summit_session_attendee_username20 =
 
| summit_session_attendee_company20=
 
| summit_session_attendee_company20=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=
 
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=
  
 
|-
 
|-
| summit_session_name = Browser Security Working Group
+
| summit_track_logo = [[Image:T._browser_security.jpg]]
 +
| summit_ws_logo = [[Image:WS._browser_security.jpg]]
 +
| summit_session_name = DOM Sandboxing
 
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session001
 
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session001
 +
| mailing_list = https://groups.google.com/group/owasp-summit-browsersec
 
|-
 
|-
  
| short_working_session_description= One of the great challenges of application security is browser security. The browser is becoming our de facto runtime platform for applications and it comprises a whole ecosystem of plug-ins and web technologies. Therefore we will spend a full day working together with the leading browser vendors to penetrate current problems, new ideas, and how security fits in alongside other requirements from developers and end-users. Do not miss this chance to influence what's important in browser security in the coming years.
+
| short_working_session_description= '''Virtualization and Sandboxing for Secure Multi-Domain Web Apps'''
 
+
 
|-
 
|-
  
| related_project_name1 =  
+
| related_project_name1 = Browser Security Track - main page
| related_project_url_1 =  
+
| related_project_url_1 = http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track
  
| related_project_name2 =  
+
| related_project_name2 = Google Group for the Browser Security Track
| related_project_url_2 =  
+
| related_project_url_2 = https://groups.google.com/group/owasp-summit-browsersec
  
 
| related_project_name3 =  
 
| related_project_name3 =  
Line 129: Line 150:
 
|-
 
|-
  
| summit_session_objective_name1= Work on and discuss how to enhance enduser security in web applications,  
+
| summit_session_objective_name1= '''Attenuated versions of existing apis to sandboxed code'''. <noinclude>How should browsers introduce new apis into the sandbox or allow the sandbox to provide attenuated versions of existing apis to sandboxed code? For example, lets say the sandbox wants to provide an attenuated "alert" function to sandboxed code which does something slightly different than the real "alert". What kind of apis could the browser provide to safely allow such extensions/apis? Do these need to be standardized such that different sandbox vendors can interoperate.</noinclude>
  
| summit_session_objective_name2 = Work on and discuss browser-based countermeasures against XSS, CSRF, man-in-the-middle, man-in-the-browser and full remote access exploits
+
| summit_session_objective_name2 = '''Client side sandboxed apps maintaining state and authentication'''.<noinclude> For example if a user is created in a sandboxed app how is it determined what that user can do?</noinclude>
  
| summit_session_objective_name3 =  
+
| summit_session_objective_name3 = '''Create a standard for modifying a sandboxed environment'''
  
| summit_session_objective_name4 =  
+
| summit_session_objective_name4 = '''Deprecate and discourage standards''' which ambiently or undeniably pass credentials.
  
| summit_session_objective_name5 =
+
| summit_session_objective_name5 =   '''Create a standard for authentication within a sandboxed environment''' (maybe interfacing with existing auth without passing creds like 0Auth works)
  
 
|-
 
|-
  
| working_session_date_and_time =  
+
| working_session_date_and_time = Tuesday, 09 February <br> Time: TBA
  
 
|-
 
|-
  
| discussion_model = participants and attendees
+
| discussion_model = The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.
  
 
|-
 
|-
Line 153: Line 174:
 
|-
 
|-
  
| working_session_additional_details = *'''Related resources:''' [[OWASP Working Session - Browser Security Letters]] <br> *'''Browser vendors invited: '''Apple, Google, Microsoft, Mozilla, Opera
+
| working_session_additional_details = <br>
 +
[[Image:JS_DOM_Box_Jasvir_Gaz.jpg]]
 +
 
 +
===Co-chair Dr Jasvir Nagra===
 +
Jasvir Nagra is a researcher and software engineer at Google. He is the designer of [http://code.google.com/p/google-caja/ Caja] - a secure subset of HTML, CSS and JavaScript; co-author of [http://www.amazon.com/Surreptitious-Software-Obfuscation-Watermarking-Tamperproofing/dp/0321549252 Surreptitious Software] - a book on obfuscation, software watermarking and tamper-proofing, contributer to [http://shindig.apache.org/ Shindig] - the reference implementation of OpenSocial.
 +
 
 +
===Co-chair Gareth Heyes===
 +
Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] & [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.
  
 
|-
 
|-
  
|summit_session_deliverable_name1 = Enhanced cooperation between browser vendors.
+
|summit_session_deliverable_name1 = Browser Security Report
|summit_session_deliverable_url_1 =
+
  
|summit_session_deliverable_name2 = A new role for OWASP in this area.
+
|summit_session_deliverable_name2 = Browser Security Priority List
|summit_session_deliverable_url_2 =
+
  
 
|summit_session_deliverable_name3 =  
 
|summit_session_deliverable_name3 =  
|summit_session_deliverable_url_3 =
 
  
 
|summit_session_deliverable_name4 =  
 
|summit_session_deliverable_name4 =  
|summit_session_deliverable_url_4 =
 
  
 
|summit_session_deliverable_name5 =  
 
|summit_session_deliverable_name5 =  
|summit_session_deliverable_url_5 =  
+
 
 +
|summit_session_deliverable_name6 =
 +
 
 +
|summit_session_deliverable_name7 =
 +
 
 +
|summit_session_deliverable_name8 =  
  
 
|-
 
|-
  
| summit_session_leader_name1 = John Wilander
+
| summit_session_leader_name1 = Jasvir Nagra
| summit_session_leader_email1 = john.wilander@owasp.org
+
| summit_session_leader_email1 =  
 +
| summit_session_leader_username1 =
  
| summit_session_leader_name2 =  
+
| summit_session_leader_name2 = Gareth Heyes
| summit_session_leader_email2 =  
+
| summit_session_leader_email2 = gazheyes@gmail.com
 +
| summit_session_leader_username2 = Gareth Heyes
  
| summit_session_leader_name3 =  
+
| summit_session_leader_name3 =
 
| summit_session_leader_email3 =  
 
| summit_session_leader_email3 =  
 +
| summit_session_leader_username3 =
  
 
|-
 
|-
  
| operational_leader_name1 =
+
| operational_leader_name1 = John Wilander
| operational_leader_email1 =
+
| operational_leader_email1 = john.wilander@owasp.org
  
 
|-
 
|-

Latest revision as of 05:25, 8 February 2011

Global Summit 2011 Home Page
Global Summit 2011 Tracks

WS. browser security.jpg DOM Sandboxing
Please see/use the 'discussion' page for more details about this Working Session
Working Sessions Operational Rules - Please see here the general frame of rules.
WORKING SESSION IDENTIFICATION
Short Work Session Description Virtualization and Sandboxing for Secure Multi-Domain Web Apps
Related Projects (if any)


Email Contacts & Roles Chair
Jasvir Nagra
Gareth Heyes @
Operational Manager
John Wilander @
Mailing list
https://groups.google.com/group/owasp-summit-browsersec
WORKING SESSION SPECIFICS
Objectives
  1. Attenuated versions of existing apis to sandboxed code. How should browsers introduce new apis into the sandbox or allow the sandbox to provide attenuated versions of existing apis to sandboxed code? For example, lets say the sandbox wants to provide an attenuated "alert" function to sandboxed code which does something slightly different than the real "alert". What kind of apis could the browser provide to safely allow such extensions/apis? Do these need to be standardized such that different sandbox vendors can interoperate.
  2. Client side sandboxed apps maintaining state and authentication. For example if a user is created in a sandboxed app how is it determined what that user can do?
  3. Create a standard for modifying a sandboxed environment
  4. Deprecate and discourage standards which ambiently or undeniably pass credentials.
  5. Create a standard for authentication within a sandboxed environment (maybe interfacing with existing auth without passing creds like 0Auth works)

Venue/Date&Time/Model Venue/Room
OWASP Global Summit Portugal 2011
Date & Time
Tuesday, 09 February
Time: TBA


Discussion Model
The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.

WORKING SESSION OPERATIONAL RESOURCES
Projector, whiteboards, markers, Internet connectivity, power

WORKING SESSION ADDITIONAL DETAILS

JS DOM Box Jasvir Gaz.jpg

Co-chair Dr Jasvir Nagra

Jasvir Nagra is a researcher and software engineer at Google. He is the designer of Caja - a secure subset of HTML, CSS and JavaScript; co-author of Surreptitious Software - a book on obfuscation, software watermarking and tamper-proofing, contributer to Shindig - the reference implementation of OpenSocial.

Co-chair Gareth Heyes

Gareth "Gaz" Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind JSReg – a Javascript sandbox which converts code using regular expressions; HTMLReg & CSSReg – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-' – a book on how an attacker would bypass different types of security controls including IDS/IPS.

WORKING SESSION OUTCOMES / DELIVERABLES
Proposed by Working Group Approved by OWASP Board

Browser Security Report

After the Board Meeting - fill in here.

Browser Security Priority List

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

After the Board Meeting - fill in here.

Working Session Participants

(Add you name by clicking "edit" on the tab on the upper left side of this page)

WORKING SESSION PARTICIPANTS
Name Company Notes & reason for participating, issues to be discussed/addressed
Email John Wilander if you are unable to edit the Wiki and would like to sign up! @


Michael Coates


Eduardo Vela @
Google

Stefano Di Paola


Isaac Dawson
Veracode

Chris Eng @
Veracode

Alexandre Miguel Aniceto @
Willway








































</includeonly>