06:38:51 <RRSAgent> RRSAgent has joined #secure-the-web
06:38:55 <RRSAgent> logging to https://www.w3.org/2023/09/13-secure-the-web-irc
06:38:55 <tidoust> RRSAgent, make logs public
06:39:26 <tidoust> Meeting: Secure the Web Forward
06:39:57 <tidoust> Chair: Daniel Appelquist
06:39:57 <tidoust> Agenda: https://www.w3.org/2023/Talks/TPAC/breakouts/secure-forward/
06:39:57 <tidoust> Slideset: https://www.w3.org/2023/Talks/TPAC/breakouts/secure-forward/
06:39:57 <tidoust> clear agenda
06:39:57 <tidoust> agenda+ Pick a scribe
06:39:57 <tidoust> agenda+ Reminders: code of conduct, health policies, recorded session policy
06:39:57 <tidoust> agenda+ Goal of this session
06:39:57 <tidoust> agenda+ Discussion
06:39:57 <tidoust> agenda+ Next steps / where discussion continues
06:50:11 <tidoust> RRSAgent, do not leave
07:20:14 <tidoust> tidoust has joined #secure-the-web
09:01:00 <tidoust> tidoust has joined #secure-the-web
12:05:13 <tidoust> tidoust has joined #secure-the-web
13:59:22 <RRSAgent> RRSAgent has joined #secure-the-web
13:59:22 <RRSAgent> logging to https://www.w3.org/2023/09/13-secure-the-web-irc
14:01:17 <DKA_> DKA_ has joined #secure-the-web
14:01:17 <dhuigens> dhuigens has joined #secure-the-web
14:01:54 <fscholz> fscholz has joined #secure-the-web
14:02:25 <michaelficarra> michaelficarra has joined #secure-the-web
14:02:53 <tidoust> scribe+ tidoust
14:04:16 <dom__> dom__ has joined #secure-the-web
14:04:33 <zcorpan> zcorpan has joined #secure-the-web
14:04:40 <tidoust> DKA_: Welcome to the Secure the Web Forward session. About securing the web!
14:04:53 <tidoust> ... Put some additional energy behind web security.
14:04:56 <zcorpan> present+
14:05:15 <Jun> Jun has joined #secure-the-web
14:05:25 <tidoust> ... Not intended to duplicate the work in WebAppSec, but rather other aspects on software security that are maybe not being addressed enough in W3C and by web devs in general
14:05:44 <dom__> Present+
14:05:46 <tidoust> ... Bridge software security ecosystem and web dev ecosystem.
14:06:15 <tidoust> ... I've been participating in the OSS Foundation, with Arnaud.
14:06:24 <phao> phao has joined #secure-the-web
14:06:40 <tidoust> ... Some language used there is not familiar with language used in web dev circles.
14:06:40 <labrax> labrax has joined #secure-the-web
14:07:01 <tidoust> ... Open source ecosystem may not be familiar with the issues that most web devs have with regard to security.
14:07:29 <Bert> Bert has joined #secure-the-web
14:08:06 <tidoust> ... Next week, I'm going to run a companion session to this in the OSS meeting.
14:08:13 <tidoust> ... Part of this is converging on a common understanding
14:08:17 <Bert> RRSAgent, pointer?
14:08:17 <RRSAgent> See https://www.w3.org/2023/09/13-secure-the-web-irc#T14-08-17
14:08:17 <tidoust> ... That is important for the future of the web.
14:08:35 <Bert> present+
14:08:41 <tidoust> ... People are using the web for all sorts of aspects with heavily personal information. All mediated through the web.
14:08:50 <tidoust> ... Very important to strengthen the web
14:08:55 <labrax> present+
14:09:42 <dom__> [slide 5]
14:11:46 <DKA_> present+ Dan_Appelquist
14:12:01 <hober> hober has joined #secure-the-web
14:12:17 <hober> present+
14:13:01 <weiler> weiler has joined #secure-the-web
14:14:15 <tidoust> [tidoust quickly introduces the results of the MDN short survey run in May 2023]
14:14:20 <tidoust> present+
14:14:56 <tidoust> DKA_: Having been involved in UK government in the past, I'd like to emphasize the regulatory requirements here.
14:15:16 <tidoust> ... All in flux, sometimes hard to understood by developers.
14:15:45 <tidoust> Arnaud: What's happening is that open source is under attack. There isn't a piece of software out there that does not use open source.
14:16:15 <tidoust> ... This has led to a situation where bad actors have realized that this is weak spot, and target open source.
14:16:32 <tidoust> ... Government are starting to realize that this is costing a lot of money.
14:16:39 <tidoust> ... There is a public safety element to it.
14:17:09 <tidoust> ... The US government started by requiring to list the components that are in a particular piece of software.
14:17:47 <tidoust> ... In the web space, we import a lot of things. Anybody installing an npm package knows that. The amount of dependencies is crazy.
14:18:20 <tidoust> ... The Cyber Security Resiliency Act puts the liability on the software, no more "use at your own risk".
14:18:32 <tidoust> ... A whole bunch of efforts that is happening.
14:18:46 <tidoust> ... Such a big problem that needs to be addressed from different perspectives.
14:19:38 <tidoust> ... One of the most fascinating attack that I've seen is typo squatting. You just change a character and publish a new package, which gets picked up by people, and then you control further releases.
14:19:55 <tidoust> ... Some tools can be used to scan your code, to alert you when there is an import.
14:20:07 <tidoust> ... Some tools will scour GitHub repositories.
14:20:30 <tidoust> ... It's not just about vulnerabilities, also about "do you use peer reviews?"
14:20:53 <tidoust> ... It seems a good idea to bring this in the W3C space. The problem is bigger than the usual discussions.
14:21:10 <tidoust> ... Of course, we talk about security in W3C, but not from that overall perspective.
14:21:37 <dom__> [slide 6]
14:21:39 <tidoust> ... We thought that this was an opportunity to discuss and see what we can do
14:21:51 <tidoust> [slide 7]
14:22:28 <tidoust> DKA_: "Software supply chain". That's a term that I hadn't heard about before last year. Open SSF talks about that all the time.
14:22:49 <tidoust> ... Software supply chain gets talked about in terms of a bill of material.
14:23:36 <tidoust> ... That's a situation where there are two competing standards, because, you know, standards.
14:23:36 <tidoust> ... Has anybody integrated SBOM in a development pipeline?
14:23:36 <labrax> q+
14:23:43 <tidoust> ack labrax
14:23:54 <Camille> Camille has joined #secure-the-web
14:24:24 <tidoust> labrax: Member of the SPDX community.
14:24:33 <labrax> OSS Review Toolkit
14:24:34 <dom__> -> https://spdx.dev/ SPDX
14:25:09 <DKA_> q?
14:25:09 <dhuigens> dhuigens has joined #secure-the-web
14:25:09 <dom__> -> https://github.com/oss-review-toolkit/ort A suite of tools to assist with reviewing Open Source Software dependencies.
14:25:16 <tidoust> ... I developed an OSS Review Toolkit to get modular feedback on software analysis.
14:25:17 <fscholz> fscholz has joined #secure-the-web
14:25:25 <sysrqb> sysrqb has joined #secure-the-web
14:25:40 <tidoust> ... If modules all speak the same SPDX, that could greatly help with interoperability.
14:26:16 <tidoust> ... Generally, false positives tend to be a problem
14:26:49 <dom__> q+
14:27:53 <tidoust> Camille: Security in Chrome. SPI seems a preliminary to any kind of inventory such as the one we're talking about.
14:28:03 <dom__> s/SPI/SRI
14:28:18 <tidoust> DKA_: That's the question that we should be asking.
14:28:30 <tidoust> ... What's the context under which this can run in browsers.
14:28:47 <tidoust> ... This is also about looking about dependencies of the code you injected in the first place.
14:29:13 <tidoust> ... Considering all the dependencies that software has, it seems to me that there is value in applying SBOM to web applications.
14:29:38 <tidoust> ... We've heard about a CycloneDX plugin for web apps, but that feels like a new possible area of work
14:29:58 <dhuigens> s/SPI/CSP I think
14:30:07 <dom__> s/SRI/CSP
14:30:36 <dom__> q?
14:30:54 <tidoust> ack dom__
14:31:30 <tidoust> dom: Intersection between understanding what developers ship in their application and potential risks that this creates
14:31:40 <tidoust> ... is something that is interesting to explore.
14:32:03 <tidoust> ... In many cases, the code that we ship cannot be easily tied back to the libraries that were used because of compilation or transpilation.
14:32:26 <tidoust> ... How that ties to SRI, CSP, sourcemaps, and other technicologies seems a useful space of exploration
14:32:27 <mfinkel> q+
14:32:52 <tidoust> DKA_: Maybe we can talk a bit about what OWD is doing
14:33:21 <Jun> https://slsa.dev
14:33:26 <tidoust> fscholz: I've been looking at the material that exists on MDN related to security, and trying to figure out what to make of the survey results that we've seen to improve the documentation.
14:34:21 <tidoust> ... If you look at the section in MDN docs that tries to educate developers, it is actually quite thin, so there is room for improvement. For the workshop, I'd like to prepare an assessment of what we have right now on MDN
14:34:40 <tidoust> ... And come up with a set of possibe priorities of stuff to improve or add.
14:34:43 <labrax> q+ to discuss E2E
14:34:59 <tidoust> ... OWD is Open Web Docs.
14:35:09 <sangwhan> sangwhan has joined #secure-the-web
14:35:16 <tidoust> ... Based on donations from companies, we contribute to improving MDN.
14:35:26 <tidoust> DKA_: It's clear from the survey that it's needed.
14:35:28 <tidoust> q?
14:36:00 <tidoust> mfinkel: From Apple. IETF has a working group on software supply chain.
14:36:21 <tidoust> ... Still ongoing, the path is not entirely clear yet, cross-organization collaboration would be useful.
14:36:42 <sangwhan> present+
14:36:46 <tidoust> ... It's clear that securing the web is hard and that developers in general have a hard time understanding what to do.
14:36:46 <dom__> -> https://datatracker.ietf.org/wg/scitt/about/  Supply Chain Integrity, Transparency, and Trust (scitt)
14:37:11 <sangwhan> RRSAgent, draft minutes
14:37:12 <RRSAgent> I have made the request to generate https://www.w3.org/2023/09/13-secure-the-web-minutes.html sangwhan
14:37:45 <michaelficarra> can someone put the name of that IETF WG in the chat?
14:37:45 <tidoust> Arnaud: The IETF group is SCITT, right? I learned about it yesterday. Agree we should touch base.
14:37:45 <michaelficarra> crossed paths, thanks
14:37:45 <tidoust> q?
14:37:48 <tidoust> ack mfinkel
14:37:48 <tidoust> ack labrax
14:37:48 <Zakim> labrax, you wanted to discuss E2E
14:37:54 <mfinkel> https://datatracker.ietf.org/wg/scitt/about/
14:38:13 <tidoust> labrax: When I use the web, personal perspective, I trust end-to-end encryption
14:38:25 <tidoust> ... A number of applications have e2e encryption.
14:38:42 <tidoust> ... The problem is when the application is served from the same site you log into.
14:39:02 <tidoust> ... This creates a sort a man-in-the-middle situation.
14:39:04 <dhuigens> q+
14:39:11 <tidoust> ... There are workarounds.
14:39:42 <tidoust> ... We need to be able to keep an eye on an application when it updates behind the scene.
14:39:53 <tidoust> ack dhuigens
14:40:17 <tidoust> dhuigens: We will be talking about that in the Friday session of the WebAppSec working group.
14:41:00 <tidoust> ... Focusing on transparency, e.g., transparency log where you could submit the source code so that the browser could ensure that the source code it receives is the same as the one that the server is supposed to serve.
14:41:41 <tidoust> ... Of course, you still need something like an SBOM to be able to check that the bill that's there corresponds, but that seems like a complementary topic.
14:42:02 <tidoust> ... Source code transparency, that's what I've been calling it so far, but the name is not here to stay. Just a proposal for now.
14:42:27 <tidoust> DKA_: I'll be sitting with the WebAppSec group later this week. That sounds well aligned with the goals that we're looking into here.
14:42:56 <tidoust> ... Worried about taking something that was not written for the web and applying to the web.
14:43:08 <tidoust> dhuigens: Going to be Friday at 2:30pm I think.
14:43:30 <tidoust> [slide 8]
14:46:15 <tidoust> tidoust: From a dev perspective, integrating security aspects into the development lifecycle is an open question to me. A bit like tests a long time ago, where you would develop the app, then worry about tests.
14:47:16 <tidoust> DKA_: There are different chains in the development flow. Development tools. Build tools.
14:47:59 <tidoust> ... What do you need to do as a developer to integrate things in the development workflow.
14:48:17 <tidoust> labrax: One of the biggest challenges is that, as an industry, we don't know whom to trust.
14:48:26 <tidoust> ... Author, developer, browser.
14:48:34 <tidoust> ... Companies such as RedHat.
14:48:57 <tidoust> ... Where you put the line of trust has impacts on the approach you're going to take.
14:50:16 <Bert> https://www.w3.org/2023/03/secure-the-web-forward/
14:50:16 <tidoust> -> https://www.w3.org/2023/03/secure-the-web-forward/ W3C Workshop Secure the Web Forward
14:51:22 <tidoust> RRSAgent, draft minutes
14:51:53 <RRSAgent> I have made the request to generate https://www.w3.org/2023/09/13-secure-the-web-minutes.html tidoust
14:52:17 <zcorpan> RRSAgent: make logs public
15:06:57 <tidoust> tidoust has joined #secure-the-web
16:22:52 <tidoust> RRSAgent, bye
16:22:52 <RRSAgent> I see no action items