[Global_industry_committee] New IETF Web Security working group / W3C Web Application Security Working Group

Eoin eoin.keary at owasp.org
Sat Oct 23 15:39:53 EDT 2010


sounds like nothing new.....
another security group doing the same stuff as all the rest....

On 23 October 2010 15:14, Colin Watson <colin.watson at owasp.org> wrote:

> Please see below a message sent to the OWASP London list, and
> forwarded here with permission.
>
> Does anyone know people involved with this already, or any other comments?
>
> Colin
>
>
> ---------- Forwarded message ----------
> From: Tobias Gondrom <tobias.gondrom at gondrom.org>
> Date: 22 October 2010 20:01
> Subject: [Owasp-london] We can address some of the Security problems
> at the root: New IETF Web Security working group – your ideas?
> To: owasp-london at lists.owasp.org
>
>
> Hi dear fellow OWASP London members,
>
> many of the security problems we face derive from weaknesses and
> inconsistencies in the operation of the browsers and the HTTP
> protocol. And as OWASP, we have been pretty good at mitigating these
> problems and working around these deficiencies. But many times I felt
> like we actually should try to change the underlying root of the
> problem rather then having to live and work within it.
>
> The IETF (Internet Engineering Task Force) set up a new working group
> WEBSEC (http://datatracker.ietf.org/wg/websec/charter/) to identify
> and tackle these underlying issues and develop standards to solve them
> wherever possible. It will also work closely with the W3C Web
> Application Security Working Group to get the new changes on the road
> and implemented.
>
> These two working groups will provide the unique opportunity to
> actually change some of the underlying mechanisms and try to solve
> some of our biggest security challenges at the root. But for that to
> accomplish, it is important to understand what the problem and what
> should be done and what better place then OWASP, with the best Web
> Application Security minds, to ask what is good and what should be
> changed and corrected and in which way.
>
> So I would like to invite you to provide input for this and join the
> WEBSEC working group (note: the IETF is an open organization like
> OWASP and all WGs are open for everybody to join freely).
> You can join the group and its mailing-list here:
> https://www.ietf.org/mailman/listinfo/websec
> If you are new to the IETF, there is a small info page Tao of the IETF
> (http://www.ietf.org/tao.html)
>
> So what are your ideas to help mitigate many of the OWASP top ten?
> What are the biggest problems?
> What should be done?
> What HTTP headers, protocol and policies would you suggest we change or
> correct?
> Do we need to standardize new headers and certain browser behavior
> across the vendors?
> How should browsers behave to be safe or how should their behavior
> change for use to be able to build more secure web applications?
>
> The time frame for this opportunity of change is within the next few
> months, so if you have ideas and suggestions please come forward and
> we need to work on them now!
>
> Just as an example of the first items that we discuss are Media Type
> Sniffing, Web Origin Concept, integrity of the browser and server,
> usage of DNSSEC, Strict Transport Security, X-FRAME-OPTIONS, but
> there's a lot more to do and we need your input as OWASP experts!
>
> So if you have ideas, please join the WG and/or get in touch with me.
> And please forward this to interested chapters and people!
>
> Kind regards, Tobias
>
>
> Tobias Gondrom
> email: tobias.gondrom at gondrom.org
> mobile: +447521003005
>
>
>
> _______________________________________________
> Owasp-london mailing list
> Owasp-london at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-london
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>



-- 
Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

Sent from my i-Transmogrifier
http://asg.ie/
https://twitter.com/EoinKeary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_industry_committee/attachments/20101023/92edb426/attachment.html 


More information about the Global_industry_committee mailing list