OWD project: Attend W3C Secure the web forward workshop

[Elchi3]

Problem statement

The workshop describes the problem field as following:

The world wide web is the most pervasive development and deployment platform for applications and services. Its distributed, non-curated and amorphous nature, as well as the lack of friction, is at the same time its great differentiator and an enormous challenge, particularly in the arena of security. Security vulnerabilities in applications are a target for bad actors. When applications are deployed on the web across a heterogeneous environment of cloud providers, networks and browsers, the potential for exploitation of these vulnerabilities is increased. Insecure web applications can be a vector for malware, privacy violations, ransomware and unwanted surveillance.

There has been a recent movement to more secure software development and deployment platforms. There have also been many new features and specifications added to web platform technologies to strengthen security. However these efforts are sometimes disconnected from each other, leading to a lack of clear guidance for web developers about the threats, mitigations and indeed the role web developers play in ensuring their applications are secure.

Further, the WebDX group ran a short survey on MDN to identify the most challenging security aspects that web devs need to face today. (297 responses)

Two aspects of this survey suggest that better education to assist developers towards assessing security properties of their applications is needed:

• "Understanding security threats": 29% said "very challenging" and 40% "somewhat challenging".
• "Understanding the browser security model": 27% said "very challenging" and 39% said "somewhat challenging"

Proposed solutions

On a high level:

• Identify specific work on documentation that could be useful for web developers to help them make better use of existing web security technologies.
  • Assess the current state of the MDN security docs
• Figure out how to bring the “secure software supply chain” approach to the web development community and what docs are needed to make that happen.
• Figure out what docs are needed so that web developers are provided with better assistance for "Understanding the browser security model" and "Understanding security threats".

Task list

• Provide position papers. Due: July 28th
• Prepare an OWD documentation project about Web Security
• Attend session(s) at TPAC
• Attend two-hour virtual session on 26th of September 2023
• Attend two-hour virtual session on 27th of September 2023
• Attend two-hour virtual session on 28th of September 2023

Priority assessment

No response

More information

• https://www.w3.org/2023/03/secure-the-web-forward/
• https://github.com/w3c/secure-the-web-forward-workshop
• https://github.com/web-platform-dx/developer-research/blob/main/mdn-short-surveys/2023-05-15-security-dx/interpretation.md

---

Open Web Docs (OWD) is a non-profit collective funded by corporate and individual donations.

In order for this project to happen, please consider donating to OWD on https://opencollective.com/open-web-docs.
For more information on sponsorship and membership tiers, see https://openwebdocs.org/membership/

More information is available at https://openwebdocs.org/.
For questions, please reach out to florian@openwebdocs.org.

[Elchi3]

To attend the workshop, participants are asked to answer the following questions:

• Do you have research to share, an implementation or prototype to demonstrate, or a proposal to present?
• Do you have experience to share about the challenges and gaps you face in the Web platform addressing security issues?
• What do you view as the single biggest shortcoming or challenge of the security ecosystem for Web developers today?

A position paper can be submitted here:
https://github.com/w3c/secure-the-web-forward-workshop/tree/main/papers

[Elchi3]

Paper submitted w3c/secure-the-web-forward-workshop#36

[Elchi3]

Chris Mills et al. have published "The MDN front-end developer curriculum" (2023). It contains a curriculum for security and privacy courses: https://github.com/mdn/curriculum/blob/main/curriculum/3-extensions/5-security-and-privacy.md

It's unclear to me on what exact data/surveys this curriculum is based on or how the topics listed there have been determined but I will try to find out. Edit: I asked this in mdn/curriculum#17

[Elchi3]

Our proposed workshop session will take place on September 28: https://www.w3.org/2023/03/secure-the-web-forward/agenda.html

[Elchi3]

Meeting minutes from the session at TPAC: https://www.w3.org/2023/09/13-secure-the-web-minutes.html

[Elchi3]

Notes from the workshop:
https://docs.google.com/document/d/1Twpk-ShX6fNqpXusUVzPY0OEIhbBKPt0-rI_VNdi-9A/edit#heading=h.otqqyupvuh0k

Blog post/video:
https://openwebdocs.org/content/posts/secure-the-web-forward/

Hoping to take all what we learned and create new OWD project "Web security documentation" for us to work on in 2024.