Meeting minutes
Will presents. Slides https://
Will: We're committed to write docs about Web Security, we would love your feedback, especially from security experts
Will: We need better security docs on MDN
Will: We have good reference docs on CSP, CORS, etc
Will: The current content is disorganized not usuable in structured way
Will: There is a lot of missing content for a web developer to know what is a secure web site
Will: We've come up with 4 different categories of docs: Theory, Practices, Attacks and Tools
Will: Theory is concepts like Same-origin policy
Will: The main thing I want to talk about is Practices
Will: Things a developer might need to take care of
Will: We want to provide concrete practical guidance, like auth, user input, 3rd party
Will: Authentication: We have collected ideas on what to talk about, but maybe we can get to that later
Will: Security 101 guide: a baseline to establish
Will: Need feedback on the overall shape of these docs
Will: We want feedback on how talk about usage of frameworks, we usually talk a lot about web standards and not frameworks, but frameworks are important here
Will: The fear of imperfections: How can we help people who want to be better without the fear of saying things that aren't 100% secure
Dipika: I like the overall plan.
Dipika: Have you already identified security experts to review the docs?
WIll: We haven't identified specific experts yet, but we are on it
Will: it is critically important to have expert review
Dipika: Collaborating with experts from the industry will help with the fear of imperfection
Simone: We're creating a CG within W3C to help with this
Simone: Can understand the fear of imperfection. Developers want simple solutions, like running a tool or pasting in code
Simone: I wrote guidance for web developers but it was a lot to read and people don't read
Will: Even if your code is audited later, it sill makes sense to educate developers up front to avoid loads of things to show up in the audit
Will: I would love to read your guidance, Simone
Dipika: I like the approach to categorize the docs
Will: What do people think about frameworks?
Simone: Is the framework secure, and is it penetration tested? Like CSRF tokens properly configured etc
Will: Need to take a critical look at how you use frameworks
Simone: Why aren't we including server side vulnerabilities into the outline?
Will: MDN ist mostly the client side, the standardized web platform
Will: Maybe we should talk more about the server side
Will: It is not my intention to exclude the server side
Will: things like input validation
Will: its harder to talk about the server side, but its not helpful to only talk about the client side
Simone: Proposal: Put security principles into the theory section?
Will: I have Secure design principles in my theory category. Maybe threat models should be in the list
Will: Something we haven't talke about is regulations, some governments will probably regulate this space. We can influence this quite likely with our work
Simone: In Italy they created guidelines (not mandatory) based on OWASP
Simone: more or less OWASP top 10