- Workshop report published (31 January 2024)
- Notes from live sessions available (3 October 2023)
- Slides and talks published (2 October 2023)
- Live sessions agenda published (7 September 2023)
- Position papers published (2 August 2023)
- Deadline for position papers extended to end of August (2 August 2023)
Interested parties may join the #security
channel on the W3C Community Slack instance to continue discussions.
Purpose of this workshop
The world wide web is the most pervasive development and deployment platform for applications and services. Its distributed, non-curated and amorphous nature, as well as the lack of friction, is at the same time its great differentiator and an enormous challenge, particularly in the arena of security. Security vulnerabilities in applications are a target for bad actors. When applications are deployed on the web across a heterogeneous environment of cloud providers, networks and browsers, the potential for exploitation of these vulnerabilities is increased. Insecure web applications can be a vector for malware, privacy violations, ransomware and unwanted surveillance.
There has been a recent movement to more secure software development and deployment platforms. There have also been many new features and specifications added to web platform technologies to strengthen security. However these efforts are sometimes disconnected from each other, leading to a lack of clear guidance for web developers about the threats, mitigations and indeed the role web developers play in ensuring their applications are secure.
Possible outcomes include:
- Identifying specific work on documentation that could be useful for web developers to help them make better use of existing web security technologies;
- Recommending a new working group in W3C, OpenSSF or elsewhere, or a joint task force
- Determining what updates are needed in commonly used libraries;
- Describing potential new web features / new language features in commonly used programming languages;
- Calling for updates to commonly used web standard APIs;
- Planning for collaboration between web standards and open source security initiatives;
- Planning for producing concise guidance on security issues that is aimed at web developers.
Topics covered
- How to bring the “secure software supply chain” approach to the web development community.
- Guidance for different types of web developers who work at different levels of the stack.
- How to make emerging web application security standards and technologies easier to use and adopt by web developers.
- How can open source security focused efforts better support the web developer community?
- How can Open Source security review processes serve as inspiration for review of new web specifications?
- How do we make security part of the goals and priorities for business owners, product owners, product managers, etc…?
Location and Time
The workshop discussions will happen during on-line sessions to be scheduled on September 26-28, 2023. See below for other relevant dates.
Important Dates
The workshop will be primarily virtual across 3 two-hour virtual sessions held on the 26th, 27th and 28th of September.
In preparation we will be holding open in-person meet-ups (less formal discussions) at W3C's TPAC event in Seville, Spain on the 13th of September (time tbd) and at the Open Source Summit Europe event in Bilbao, Spain, the week of September 18th (exact date and time tbd).
Important dates are as follows:
- Position papers due:
July 28th, see accepted position papers. Additional position papers welcome until 31 August 2023. - Invitations sent to participants: August 4th
- Program Announced: August 25th
- In-person meet-ups: September 13th and week-of September 18th (date tbd)
- Virtual workshop: September 26th-28th
Program Committee
- Dan Appelquist (Snyk) - chair
- Hadley Beeman (TAG)
- Harold Blankenship (OWASP)
- Jory Burson (OpenJS)
- François Daoust (W3C)
- Robin Ginn (OpenJS)
- Dominique Hazael-Massieux (W3C)
- Arnaud Le Hors (IBM)
- Christopher Robinson (Intel, OpenSSF)
- Mike West (Google)
- Vandana Verma Sehgal (OWASP)
What is W3C?
The mission of the World Wide Web Consortium (W3C) is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe. W3C well-known standards HTML and CSS are the foundational technologies upon which websites are built. W3C works on ensuring that all foundational Web technologies meet the needs of civil society, in areas such as accessibility, internationalization, security, and privacy. W3C also provides the standards that undergird the infrastructure for modern businesses leveraging the Web, in areas such as entertainment, communications, digital publishing, and financial services. That work is created in the open, provided for free and under the groundbreaking W3C Patent Policy.
W3C's vision for "One Web" brings together thousands of dedicated technologists representing more than 400 member organizations and dozens of industry sectors. W3C is a public-interest non-profit organization incorporated in the United States of America, led by a Board of Directors and employing a global staff across the globe.
Who is OWASP?
The Open Worldwide Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
What is the OpenJS Foundation?
OpenJS Foundation the home of high-impact, supply-chain critical open source JavaScript projects including Electron, jQuery, Node.js, and many more. Our mission is to support the healthy growth of JavaScript and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities that benefit the ecosystem as a whole.
What is the OpenSSF?
The OpenSSF is a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.