[Global_industry_committee] New IETF Web Security working group / W3C Web Application Security Working Group

Jason Li jason.li at owasp.org
Sat Oct 23 19:22:10 EDT 2010


How many such groups like this are there?

Would it be worthwhile to try and bring them all together under one
unifying banner?

Perhaps at the OWASP Summit?

W3C and IETF seem like relatively influential groups - so if we can
facilitate them working together with other big industry groups, that
seems like a worthy effort for OWASP.

-Jason

On Sat, Oct 23, 2010 at 3:39 PM, Eoin <eoin.keary at owasp.org> wrote:
> sounds like nothing new.....
> another security group doing the same stuff as all the rest....
>
> On 23 October 2010 15:14, Colin Watson <colin.watson at owasp.org> wrote:
>>
>> Please see below a message sent to the OWASP London list, and
>> forwarded here with permission.
>>
>> Does anyone know people involved with this already, or any other comments?
>>
>> Colin
>>
>>
>> ---------- Forwarded message ----------
>> From: Tobias Gondrom <tobias.gondrom at gondrom.org>
>> Date: 22 October 2010 20:01
>> Subject: [Owasp-london] We can address some of the Security problems
>> at the root: New IETF Web Security working group – your ideas?
>> To: owasp-london at lists.owasp.org
>>
>>
>> Hi dear fellow OWASP London members,
>>
>> many of the security problems we face derive from weaknesses and
>> inconsistencies in the operation of the browsers and the HTTP
>> protocol. And as OWASP, we have been pretty good at mitigating these
>> problems and working around these deficiencies. But many times I felt
>> like we actually should try to change the underlying root of the
>> problem rather then having to live and work within it.
>>
>> The IETF (Internet Engineering Task Force) set up a new working group
>> WEBSEC (http://datatracker.ietf.org/wg/websec/charter/) to identify
>> and tackle these underlying issues and develop standards to solve them
>> wherever possible. It will also work closely with the W3C Web
>> Application Security Working Group to get the new changes on the road
>> and implemented.
>>
>> These two working groups will provide the unique opportunity to
>> actually change some of the underlying mechanisms and try to solve
>> some of our biggest security challenges at the root. But for that to
>> accomplish, it is important to understand what the problem and what
>> should be done and what better place then OWASP, with the best Web
>> Application Security minds, to ask what is good and what should be
>> changed and corrected and in which way.
>>
>> So I would like to invite you to provide input for this and join the
>> WEBSEC working group (note: the IETF is an open organization like
>> OWASP and all WGs are open for everybody to join freely).
>> You can join the group and its mailing-list here:
>> https://www.ietf.org/mailman/listinfo/websec
>> If you are new to the IETF, there is a small info page Tao of the IETF
>> (http://www.ietf.org/tao.html)
>>
>> So what are your ideas to help mitigate many of the OWASP top ten?
>> What are the biggest problems?
>> What should be done?
>> What HTTP headers, protocol and policies would you suggest we change or
>> correct?
>> Do we need to standardize new headers and certain browser behavior
>> across the vendors?
>> How should browsers behave to be safe or how should their behavior
>> change for use to be able to build more secure web applications?
>>
>> The time frame for this opportunity of change is within the next few
>> months, so if you have ideas and suggestions please come forward and
>> we need to work on them now!
>>
>> Just as an example of the first items that we discuss are Media Type
>> Sniffing, Web Origin Concept, integrity of the browser and server,
>> usage of DNSSEC, Strict Transport Security, X-FRAME-OPTIONS, but
>> there's a lot more to do and we need your input as OWASP experts!
>>
>> So if you have ideas, please join the WG and/or get in touch with me.
>> And please forward this to interested chapters and people!
>>
>> Kind regards, Tobias
>>
>>
>> Tobias Gondrom
>> email: tobias.gondrom at gondrom.org
>> mobile: +447521003005
>>
>>
>>
>> _______________________________________________
>> Owasp-london mailing list
>> Owasp-london at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-london
>> _______________________________________________
>> Global_industry_committee mailing list
>> Global_industry_committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>
>
>
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
>
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
>
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>
>


More information about the Global_industry_committee mailing list