SECURITY VISION IN W3C Judy Zhu (AB Mmeber, Alibaba Group) Contents Security risks Standard Current Call requirements security work in W3C for actions about W3C security work Summary 2 Top 10 most critical web application security risks in 2017 A1: Injection
A5: Security Misconfiguration A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Broken Access Control A6: Sensitive Data Exposure A7: Insufficient Attack Protection A8: Cross-Site Request Forgery (CSRF) A9: Using Components with Known Vulnerabilities A10: Underprotected
APIs 3 Note: Extracted from OWASP (Open Web Application Security Project) Some security problems from Chinese market 1 2 3 4 5 6 7 4 Note: Extracted from Alibaba JAQ 2016 Annual Security Report Some security statistics from Chinese market -1 Mobile client virus sample type percentages in 2016 Immoral behavior Malicious charge Privacy leakage Pirate application Trap and fraud SMS hijacking
System destroy Phishing hacking Remote control Note: Extracted from Alibaba JAQ 2016 Annual Security Report. 5 Some security statistics from Chinese market -2 Security vulnerability type changes from 2015 to 2016 Webview remote code execution Webview unencrypted password storage Denial of service SharedPrefs arbitrary read and write Hard encoded secret key risk AES/DES weak encryption risk Webview no certificate verification Weak certificate verification PendingIntent mistaken usage risk Middleman attack Intent scheme url security vulnerability Host name weak verficiation zip file directory ergodic Note: Extracted from Alibaba JAQ 6
2016 Annual Security Report Standard requirements in security Why What How Traditional authentication is vulnerable Stronger Authentication Multi-factor authentication, Biometric authentication More IOT devices, more influence to our lives IOT Security Authentication, Authorization, Anti-DDoS Web environment is essential to internet. Web security is crucial
Web Security and Web App Security Content Security Policy, Web Cryptography, Credential Management Personal information leakage leads to internet fraud. Privacy Protection Encryption, de-sensitization, de-identification 7 Current security work in W3C -1 Groups Web App Security WG Completed Work Recommendation Group Note 3 (CSP Level 2,
Subresource integrity, Cross-origin Resource Sharing) Web Authentication WG Web Cryptography 1 (Web Cryptography API) WG Privacy IG 4 Drafts Candidate Recommendation 4 Working Draft 10 (CSP 1.0, CSP: Cookie (Referrer Policy, Secure (CSP Level 3, Control, CSP Pinning, Contexts, Clear Site Data, Entry Point Regulation) Mixed Content,
Credential Management Upgrade Insecure Level 1, etc.) Requests) 1 (Web Authentication API) 1 (Fingerprinting Guidance for Web Specification Authors) 8 Current security work in W3C -1 Web Application Security WG Re-charter was approved on 22 March, 2017: - https://www.w3.org/2011/webappsec/charter-2017.html Charted new work: Vulnerability Mitigation, Attack Surface Reduction, and Web Security Model. CSP (Content Security Policy) Level 2 was published as Recommendation on 15 Dec, 2016: - https://www.w3.org/TR/2016/REC-CSP2-20161215/ Development is ongoing for CSP Level 3: - https://www.w3.org/TR/CSP/
Web Authentication WG Actively developing the Web Authentication API: - https://www.w3.org/TR/webauthn/ 9 Current security work in W3C -2 Web Cryptography WG Web Cryptography API was published in Jan, 2017: - https://www.w3.org/TR/WebCryptoAPI/ WG is now closed, and maintenance work happens under the supervision of the Web Security IG. Web Security IG Re-charter was approved in Jan, 2017: - https://www.w3.org/2017/03/security-ig-charter.html Chartered work: Incubate new ideas, Horizontal Reviews, Web Security Incident Review.
Privacy IG Chartered deliverable: Privacy Considerations for Web Standards. Ongoing work: privacy questionnaire, fingerprinting guidance, privacy reviews. 10 Call for actions about W3C security work Call for actions Improve security considerations or reviews Directions Some specs dont have carefully written security
considerations. The written security considerations dont get enough reviews. Improve participation in some security groups Build security review community Process considerations Outreach to researchers Enhance participation Web security IG Invite external experts
Privacy IG Security educations New standard topics need to be explored to address new security challenges Stronger authentication (Human ontology authentication) IOT security Blockchain security Incubation Get inputs from vertical industry
Utilize CGs to discuss new ideas 11 We also welcome inputs from AC members! IOT Security Security Accidents Examples October 21, 2016, DDoS attack to Dyns Managed DNS infrastructure. Security Requirement Secure Booting Device Authentication In 2014, remote code execution vulnerability, affected more than 150000 Webcam devices, because of weak password. Access Control
AntiDDoS Secure Software Updates and Patches 12 Stronger authentication USB Key SMS Code OneKey Confirmation OTP Token Web API for Human ontology authentication ? Keyboard Pressing Fingerprint Mouse moving track Palmprint
Handwriting Finger Pressing Iris Face Advantages (1)Portable (2)Secure (3)Stable (4)Unique (5)Universal (6)Convenient (7)Collective (8)Acceptable 13 Suggestions for future work People Process Technology
Utilize internal (e.g. Privacy IG, Web Security IG) and external (e.g. IETF) security resources. Invite external experts to share their security issues, challenges, technology trends, etc. Use security related IGs to incubate new ideas. Encourage early participation in vertical groups, e.g. IOT, Web Payments. Encourage the usage of security and privacy questionnaire; Organize workshops to explore new security standard topics. 14 Summary Improve security review
Utilize security and privacy questionnaire Review from W3C security community Review from external security experts Enhance security participation Give enough staff resource support Give high priority to security work Explore new security standard topics Blockchain security IOT security aspects Absorb industry standard requirements Human ontology authentication 15
My standard formula Excellent Standard = f Urgent Problem Solid Technology, Implementation, Testing, Standard Writing 16 A standard poem Note: Before Chairman Mao had a poem, nowadays we changed the words but referred to his style and format. Translation: Qinyuanchun Standards Recalling the past, debates and discussion, brilliant ideas everywhere All these gone, strategy and tactics, handling problems case by case But if looking for more truly great people, still need rely on the people nowadays Whatever national standard, industry standard or anything else, as long as they are useful, they are good standards! 17
The Future of W3C and China Market China Market W3C 18 THANK YOU FOR LISTENING!
Ferrite Heating: Measurements in Clean Room. PT100 on ground plate of magnet. PT100 on ferrite of "tube" Ceramic tube. PT100 setup for installed MKI's. Note: both PT100's installed for measurement of magnet temperature, in clean room, gave same reading to...
Logic-computing circuits can do binary number addition. * What did we talk about last time? Circuits control the flow of electricity. Gates are simple logical systems. * Integrated Circuits Integrated circuit (also called a chip) A piece of silicon on...
Avon and Somerset are one of just 4 'early adopter' areas who are path finders and have implemented a specialised unit for Victim & Witness Care. From October 2014, the police are now responsible for identifying vulnerable / intimidated /...
Purpose of Each Page Landing page: the webpage that users first get to after clicking on a search result link or online advertisement link. Most landing pages should have one main goal and everything on that page should work towards...