[Global_industry_committee] New IETF Web Security working group / W3C Web Application Security Working Group

Rex Booth rex.booth at owasp.org
Sat Oct 23 19:40:14 EDT 2010


We may want to stop copying Tobias if we want to have a frank, internal discussion.  Just a thought.

On Oct 23, 2010, at 7:22 PM, Jason Li <jason.li at owasp.org> wrote:

> How many such groups like this are there?
> 
> Would it be worthwhile to try and bring them all together under one
> unifying banner?
> 
> Perhaps at the OWASP Summit?
> 
> W3C and IETF seem like relatively influential groups - so if we can
> facilitate them working together with other big industry groups, that
> seems like a worthy effort for OWASP.
> 
> -Jason
> 
> On Sat, Oct 23, 2010 at 3:39 PM, Eoin <eoin.keary at owasp.org> wrote:
>> sounds like nothing new.....
>> another security group doing the same stuff as all the rest....
>> 
>> On 23 October 2010 15:14, Colin Watson <colin.watson at owasp.org> wrote:
>>> 
>>> Please see below a message sent to the OWASP London list, and
>>> forwarded here with permission.
>>> 
>>> Does anyone know people involved with this already, or any other comments?
>>> 
>>> Colin
>>> 
>>> 
>>> ---------- Forwarded message ----------
>>> From: Tobias Gondrom <tobias.gondrom at gondrom.org>
>>> Date: 22 October 2010 20:01
>>> Subject: [Owasp-london] We can address some of the Security problems
>>> at the root: New IETF Web Security working group – your ideas?
>>> To: owasp-london at lists.owasp.org
>>> 
>>> 
>>> Hi dear fellow OWASP London members,
>>> 
>>> many of the security problems we face derive from weaknesses and
>>> inconsistencies in the operation of the browsers and the HTTP
>>> protocol. And as OWASP, we have been pretty good at mitigating these
>>> problems and working around these deficiencies. But many times I felt
>>> like we actually should try to change the underlying root of the
>>> problem rather then having to live and work within it.
>>> 
>>> The IETF (Internet Engineering Task Force) set up a new working group
>>> WEBSEC (http://datatracker.ietf.org/wg/websec/charter/) to identify
>>> and tackle these underlying issues and develop standards to solve them
>>> wherever possible. It will also work closely with the W3C Web
>>> Application Security Working Group to get the new changes on the road
>>> and implemented.
>>> 
>>> These two working groups will provide the unique opportunity to
>>> actually change some of the underlying mechanisms and try to solve
>>> some of our biggest security challenges at the root. But for that to
>>> accomplish, it is important to understand what the problem and what
>>> should be done and what better place then OWASP, with the best Web
>>> Application Security minds, to ask what is good and what should be
>>> changed and corrected and in which way.
>>> 
>>> So I would like to invite you to provide input for this and join the
>>> WEBSEC working group (note: the IETF is an open organization like
>>> OWASP and all WGs are open for everybody to join freely).
>>> You can join the group and its mailing-list here:
>>> https://www.ietf.org/mailman/listinfo/websec
>>> If you are new to the IETF, there is a small info page Tao of the IETF
>>> (http://www.ietf.org/tao.html)
>>> 
>>> So what are your ideas to help mitigate many of the OWASP top ten?
>>> What are the biggest problems?
>>> What should be done?
>>> What HTTP headers, protocol and policies would you suggest we change or
>>> correct?
>>> Do we need to standardize new headers and certain browser behavior
>>> across the vendors?
>>> How should browsers behave to be safe or how should their behavior
>>> change for use to be able to build more secure web applications?
>>> 
>>> The time frame for this opportunity of change is within the next few
>>> months, so if you have ideas and suggestions please come forward and
>>> we need to work on them now!
>>> 
>>> Just as an example of the first items that we discuss are Media Type
>>> Sniffing, Web Origin Concept, integrity of the browser and server,
>>> usage of DNSSEC, Strict Transport Security, X-FRAME-OPTIONS, but
>>> there's a lot more to do and we need your input as OWASP experts!
>>> 
>>> So if you have ideas, please join the WG and/or get in touch with me.
>>> And please forward this to interested chapters and people!
>>> 
>>> Kind regards, Tobias
>>> 
>>> 
>>> Tobias Gondrom
>>> email: tobias.gondrom at gondrom.org
>>> mobile: +447521003005
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Owasp-london mailing list
>>> Owasp-london at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-london
>>> _______________________________________________
>>> Global_industry_committee mailing list
>>> Global_industry_committee at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>> 
>> 
>> 
>> --
>> Eoin Keary
>> OWASP Global Board Member
>> OWASP Code Review Guide Lead Author
>> 
>> Sent from my i-Transmogrifier
>> http://asg.ie/
>> https://twitter.com/EoinKeary
>> 
>> _______________________________________________
>> Global_industry_committee mailing list
>> Global_industry_committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>> 
>> 
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee


More information about the Global_industry_committee mailing list