[OpenAjaxSecurity] Minutes from phone call on 2007-07-27

[Jon Ferraiolo]

URL: http://www.openajax.org/member/wiki/Security_Minutes_2007-07-27


                                                                            
                                                                            
                                                                            



OpenAjax Alliance Security Task Force minutes 2007-07-27

Attendees
      Larry Koved <koved(at)us.ibm.com>, chair
      Jon Ferraiolo <jferrai(at)us.ibm.com>
      Xiaofeng Fan <xiaoffan(at)microsoft.com> -- @ MSR working with Helen
      Wang
      Naohiko Uramoto <uramoto(at)jp.ibm.com>
      Sachiko Yoshihama <SACHIKOY(at)jp.ibm.com>
      Yuecel Karabulut <yuecel.karabulut(at)sap.com>
      David Boloker <boloker(at)us.ibm.com>
      Frederik De Keukelaere <eb41704(at)jp.ibm.com>
      Suresh N. Chari <schari(at)us.ibm.com>
      Sumeer Bhola <sbhola(at)us.ibm.com>

Original Agenda
      Summary of the third meeting (consensus and open issues, action items
      for the group)
      WP3 - Ajax and Mashup Security security white paper
            See work in progress:
            http://www.openajax.org/member/wiki/WP3_-_Ajax_and_Mashup_Security

      Mashup Security Approaches (work in progress)
            See work in progress:
            http://www.openajax.org/member/wiki/Mashup_Security_Approaches
      Date/time for follow-up task force phone call
      Wrap up

Minutes


Reviewed minutes



Topic: Security white paper: Jon F
      Took IBM DeveloperWorks article and updated some sections that were
      just overviews. They are now completed. Need to do reviewing and
      editing. A section was also added on innerHTML.
      Question remains on the GreaseMonkey section, as well as the
      "resources" section.
      So, it is now time to review & edit it. These are a Marketing
      activity.
      What to do with GreaseMonkey section? Recommend taking it out. It is
      more for fringe developers. Sachiko and Naohiko agree the section
      should be removed. Perhaps make some general comments about plug-ins.
      Jon agrees.
      Uramoto -- need some more discussion on browser-specific behavior.
      However, that may be for another paper.
      Section 2.3 is about attack scenarios. Jon: add 2.3.3 which discusses
      browser extensions. Basically, browsers go to great lengths to
      provide security. Extensions may allow attackers to do bad things.
      Often these extensions don't have the same attention to security as
      the browser itself. Jon will fill this in.
      Suresh: Section 2.5.2 mentions vulnerability checking tools. However,
      we don't point to specific tools. This seems like an ineffective
      recommendation without recommendations. Xiaofeng will see what tools
      will be in Visual Studio. He will try to get info. There is
      Watchfire. There are other commercial services / tools. These will be
      listed in the resources.
      Jon F. --
            Resource section. Remove it? Put it on the Wiki page? So, the
            paper ends with the Conclusion. The resource section would be a
            link to the new Resources wiki page.
            On the Resource page, categorize the resources.
            Sachiko will set up the resource page. Jon will create the page
            and let Sachiko know where it is.
      Xiaofeng -- different use cases result in different attack scenarios.
      Proposed: new section 2.2 and 2.3 that examine existing use cases? He
      will create a draft and mail it the white paper authors. Will send a
      draft by next Monday.
      The author list? Other OAA papers do not have names. Remove the names
      from the Wiki, but keep the reference to DeveloperWorks.
      Some organization discussion on section 2.3 and the section titles.
      Some consistence needs to be applied here.
      Suresh: Xiaofeng had suggested techniques for creating mashups. As
      such, there are unsafe practices that can result in vulnerabilities.
      Yuecel: found new paper, which may not be included. Another IBM
      DeveloperWorks article. He will update the wiki with a summary of
      this article.

Topic: Comm Hub TF -- Jon F
      F2F recently
      4 participants - WIlkins, Wei, Jon, Howard (Tibco)
      Most proposal were coming from these 4
      Nominal agreement on what to propose for next steps
      Comm TF next week and talk with the other members.
      The following week joint meeting between: Security, Comm Hub &
      Interop
      Comm guys mostly interested in Comet -- server push
            Sensitive to other use cases, as well as security.
      General approach to support iframes for sandboxing. OA Hub for cross
      frame communication.
      Fred: how to enable SMash in the hub? Should Fred join the comm TF
      meeting?
            Jon: Don't worry about the spec yet. Work on the general
            approaches. Once working, then work out the issues. Hub TF
            excited about working w/security
            Xiaofeng: will ask Bertrand on how MS will work w/Hub,
            particularly with security
                  Jon: MS will not look at and/or contribute to the open
                  source aspects. Will focus on standards / specs.
      *Jon: Go into the SVN project, create a fork. E.g., create a
      subdirectory in the sandbox area and work there.

Topic: Next meeting in 2 weeks.
      Possible joint meeting w/communication and interop task forces
      Resume discussion re: white paper
      Discuss SMash and MashupOS


Adjourn





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20070727/31c97988/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://openajax.org/pipermail/security/attachments/20070727/31c97988/attachment.gif