Cross-organization group to take a holistic approach to security on the Web

[tidoust]

The report suggests the creation of a cross-organization activity that can take a holistic approach to security on the Web. This issue tracks the possible creation of that activity.

From the report, this activity could take the form of a W3C Community Group (free, open to all, no membership required), that could take on the following tasks:

• Document threat models on the web.
• Formulate end-user stories related to security to inform groups developing technical APIs and policy makers developing regulations.
• Align security best practices targeted at web applications.
• Review possible directions to sanitize web APIs for use in isolated contexts (compartments).
• Track specifications and vendor implementations related to security.
• Recommend new specifications to be produced and find group homes for them.
• Clarify documentation needs to inform documentation writers.
• Track and promote software supply chain approaches to ease security assessments.
• Coordinate actions on the above points with external organizations.

[edent]

Could I suggest adding "interviews with users" in there?

It is easy to create an idea of what we think users want. But without research, it's hard to design something useful.

For example, do developers find something like SRI intuitive and easy to implement? If not, why not? If yes, what can we learn from the way other security standards are developed?

[simoneonofri]

@edent thank you for your suggestion. In the past weeks, I have done some interviews with Developers, CTOs, and Community Managers in Web Application Development.

Some interesting aspects came out: in general, they confirm some of the points listed by @tidoust (documenting the threat model, structuring best practices and documentation, as well as maybe tools), as well as being able to consider Product Managers and Product Owners as stakeholders (who also have to define the various security requirements and provide enough time not only to develop but to develop in a secure way).