20:04:06 <RRSAgent> RRSAgent has joined #mdn-security
20:04:10 <RRSAgent> logging to https://www.w3.org/2024/03/12-mdn-security-irc
20:04:10 <tpac-breakout-bot> RRSAgent, do not leave
20:04:11 <tpac-breakout-bot> RRSAgent, make logs public
20:04:12 <tidoust> tidoust has joined #mdn-security
20:04:12 <tpac-breakout-bot> Meeting: Web security docs for MDN
20:04:12 <tpac-breakout-bot> Chair: wbamberg
20:04:12 <tpac-breakout-bot> Agenda: https://github.com/w3c/breakouts-day-2024/issues/14
20:04:12 <Zakim> Zakim has joined #mdn-security
20:04:13 <tpac-breakout-bot> Zakim, clear agenda
20:04:13 <Zakim> agenda cleared
20:04:13 <tpac-breakout-bot> Zakim, agenda+ Pick a scribe
20:04:14 <Zakim> agendum 1 added
20:04:14 <tpac-breakout-bot> Zakim, agenda+ Reminders: code of conduct, health policies, recorded session policy
20:04:14 <Zakim> agendum 2 added
20:04:14 <tpac-breakout-bot> Zakim, agenda+ Goal of this session
20:04:16 <Zakim> agendum 3 added
20:04:16 <tpac-breakout-bot> Zakim, agenda+ Discussion
20:04:16 <Zakim> agendum 4 added
20:04:16 <tpac-breakout-bot> Zakim, agenda+ Next steps / where discussion continues
20:04:17 <Zakim> agendum 5 added
20:04:17 <tpac-breakout-bot> tpac-breakout-bot has left #mdn-security
21:26:30 <wbamberg> wbamberg has joined #mdn-security
21:57:25 <fscholz> fscholz has joined #mdn-security
22:00:53 <fscholz> scribe+
22:02:17 <fscholz> scribenick: fscholz
22:05:40 <fscholz> present+ Simone_Onofri Will_Bamberg Rick_Byers Enrico Morisi Dipika Florian_Scholz
22:06:27 <fscholz> Will presents. Slides https://wbamberg.github.io/web-security-w3c-breakouts-march-2024/
22:07:44 <fscholz> Will: We're committed to write docs about Web Security, we would love your feedback, especially from security experts
22:09:01 <fscholz> Will: We need better security docs on MDN
22:09:13 <fscholz> Will: We have good reference docs on CSP, CORS, etc
22:10:07 <fscholz> Will: The current content is disorganized not usuable in structured way
22:10:29 <fscholz> Will: There is a lot of missing content for a web developer to know what is a secure web site
22:11:15 <fscholz> Will: We've come up with 4 different categories of docs: Theory, Practices, Attacks and Tools
22:11:46 <fscholz> Will: Theory is concepts like Same-origin policy
22:12:11 <fscholz> Will: The main thing I want to talk about is Practices
22:12:30 <fscholz> Will: Things a developer might need to take care of
22:14:10 <fscholz> Will: We want to provide concrete practical guidance, like auth, user input, 3rd party
22:14:48 <fscholz> Will: Authentication: We have collected ideas on what to talk about, but maybe we can get to that later
22:15:41 <fscholz> Will: Security 101 guide: a baseline to establish
22:16:08 <fscholz> Will: Need feedback on the overall shape of these docs
22:17:06 <fscholz> Will: We want feedback on how talk about usage of frameworks, we usually talk a lot about web standards and not frameworks, but frameworks are important here
22:18:47 <fscholz> Will: The fear of imperfections: How can we help people who want to be better without the fear of saying things that aren't 100% secure
22:19:03 <fscholz> Dipika: I like the overall plan.
22:19:35 <fscholz> Dipika: Have you already identified security experts to review the docs?
22:20:40 <fscholz> WIll: We haven't identified specific experts yet, but we are on it
22:20:56 <fscholz> Will: it is critically important to have expert review
22:21:26 <fscholz> Dipika: Collaborating with experts from the industry will help with the fear of imperfection
22:22:24 <fscholz> Simone: We're creating a CG within W3C to help with this
22:23:45 <fscholz> Simone: Can understand the fear of imperfection. Developers want simple solutions, like running a tool or pasting in code
22:25:05 <fscholz> Simone: I wrote guidance for web developers but it was a lot to read and people don't read
22:25:54 <fscholz> Will: Even if your code is audited later, it sill makes sense to educate developers up front to avoid loads of things to show up in the audit
22:26:11 <fscholz> Will: I would love to read your guidance, Simone
22:26:29 <fscholz> Dipika: I like the approach to categorize the docs
22:27:14 <fscholz> Will: What do people think about frameworks?
22:29:33 <fscholz> Simone: Is the framework secure, and is it penetration tested? Like CSRF tokens properly configured etc
22:29:49 <fscholz> Will: Need to take a critical look at how you use frameworks
22:31:21 <fscholz> Simone: Why aren't we including server side vulnerabilities into the outline?
22:31:54 <fscholz> Will: MDN ist mostly the client side, the standardized web platform
22:32:19 <fscholz> Will: Maybe we should talk more about the server side
22:32:58 <fscholz> Will: It is not my intention to exclude the server side
22:33:24 <fscholz> Will: things like input validation
22:33:49 <fscholz> Will: its harder to talk about the server side, but its not helpful to only talk about the client side
22:35:14 <fscholz> Simone: Proposal: Put security principls into the theory section?
22:36:03 <simone> s/principls/principles/
22:36:25 <fscholz> Will: I have Secure design principles in my theory category. Maybe threat models should be in the list
22:40:56 <fscholz> Will: Something we haven't talke about is regulations, some governments will probably regulate this space. We can influence this quite likely with our work
22:41:53 <fscholz> Simone: In Italy they created guidelines (not mandatory) based on OWASP
22:42:14 <fscholz> Simone: more or less OWASP top 10
22:53:24 <fscholz> rrsagent, make minutes
22:53:26 <RRSAgent> I have made the request to generate https://www.w3.org/2024/03/12-mdn-security-minutes.html fscholz