Open tidoust opened 10 months ago
Could I suggest adding "interviews with users" in there?
It is easy to create an idea of what we think users want. But without research, it's hard to design something useful.
For example, do developers find something like SRI intuitive and easy to implement? If not, why not? If yes, what can we learn from the way other security standards are developed?
@edent thank you for your suggestion. In the past weeks, I have done some interviews with Developers, CTOs, and Community Managers in Web Application Development.
Some interesting aspects came out: in general, they confirm some of the points listed by @tidoust (documenting the threat model, structuring best practices and documentation, as well as maybe tools), as well as being able to consider Product Managers and Product Owners as stakeholders (who also have to define the various security requirements and provide enough time not only to develop but to develop in a secure way).
The report suggests the creation of a cross-organization activity that can take a holistic approach to security on the Web. This issue tracks the possible creation of that activity.
From the report, this activity could take the form of a W3C Community Group (free, open to all, no membership required), that could take on the following tasks: