Security Minutes 2007-06-29

From MemberWiki

Jump to: navigation, search

URL: http://www.openajax.org/member/wiki/Security_Minutes_2007-06-29

Contents

OpenAjax Alliance Security Task Force minutes 2007-06-29

Attendees

  • Larry Koved <koved@us.ibm.com>
  • Jon Ferraiolo <jferrai(at)us.ibm.com>
  • Bertrand Le Roy <bleroy (at) microsoft.com>
  • Gideon Lee <glee(at)openspot.com>
  • David Boloker <boloker(at)us.ibm.com>
  • Naohiko Uramoto <uramoto(at)jp.ibm.com>
  • Sachiko Yoshihama <SACHIKOY(at)jp.ibm.com>
  • Michael Steiner <msteiner(at)us.ibm.com>
  • Yuecel Karabulut <yuecel.karabulut(at)sap.com>
  • Suresh N. Chari <schari(at)us.ibm.com>
  • Sumeer Bhola <sbhola(at)us.ibm.com>
  • Frederik De Keukelaere <eb41704(at)jp.ibm.com>

Original Agenda

  • Summary of the first meeting (consensus and open issues, action items for the group)
  • Decide on how to proceed with an OpenAjax Alliance security white paper (including security best practices)
    • If / how to bring in marketing into this discussion
    • Building a list of links to materials (resources) on web/mashup/ajax security
  • Discussion of recent publications (MashupOS, IBM Ajax security white paper)
  • Discuss how to proceed in defining and documenting use cases that will drive the ongoing security discussion
  • Any other business?
  • Date/time for follow-up task force phone call
  • Wrap up

Minutes

Larry reviewed the last call. Jon has updated the webpages. Started a wiki page on use cases at http://www.openajax.org/member/wiki/Security_Use_Cases

Larry raised the issue of use cases and what we should document as use cases. Secure mashups seem to be focus areas: both client side and server side mashups. Also perhaps federated identity where we really need to get use cases nailed down.

Other set of documentation could be best practices/security issues. Lots of articles already exist. David Boloker pointed out that while many articles exists there is a lot of FUD and contradictory information. We need to decide on a few issues to focus on and put pointers to a select few articles. This was also emphasized by Bertrand Le Roy who felt that even if articles existed we could describe the issues and then point to the right articles.

It was agreed that we need to write up use cases. Discussion on what the purpose of these were: both an educational as well as a technical role.

Naohiko Uramoto asked about who we are targeting these use-cases. Currently targeted to the developer. Discussion on whether we need to target the end-user.

Jon pointed out that we need to have multiple use cases covering the various entities in a mashup application.

Sachiko Yoshihama taked about covering the different trust models.

Yuecel talked about understanding what the trust infrastructure was for the web2.0 applications i.e. for trust in the traditional sense we need a PKI. What's the equivalent for web2.0

Larry asked for volunteers for the use cases

  • Larry volunteered to document a portal like use case
  • Naohiko volunteered a scenario motivated by attacks
  • Bertrand volunteered to a web services based use case
  • Gideon Lee volunteered to document an use case based on a webtop application.

Larry asked if there were any thoughts on the various solutions proposed by various parties for the secure mashup problem

  • Jon expressed some misgivings about the MashupOS paper. Felt they were trying to adapt the desktop security model to the mashup applications.
  • Michael Steiner felt that we should maybe have a wiki page on the various technologies and options and have a discussion on the wiki This was agreed to.
  • Everyone felt that we need a social computing related scenario.
  • Gideon pointed out that we need to discuss some related issues such as the case when spammers would put transparent iframe which would be on a legitimate content. A click would take user to spaammer site. Larry and Michael pointed out that there was work on addressing flaws in GUI logic. See paper: http://research.microsoft.com/research/pubs/view.aspx?tr_id=1228 which was presented in IEEE S&P 2007

Todos from this call:

1. We need to document use cases pointing out the various stakeholders and the security issues

Volunteers:

  • Larry: portal based scenario
  • Naohiko: scenario with code injection/csrf.. social networking based scenario.
  • Bertrand: web service based scenario
  • Gideon: webtop related sandboxing
  • Yuecel: alternative web service based scenario.


2. Wiki page with various alternative for mashup security

  • Suresh Chari to make initial wiki page

3. Next meeting: 13th.

Retrieved from "http://www.openajax.org/member/wiki/Security_Minutes_2007-06-29"
Personal tools