Cybersecurity

The mission of the WebAssembly Working Group is to standardize a size- and load-time-efficient format and execution environment, allowing compilation to the web with consistent behavior across a variety of implementations.
 
The scope of the WebAssembly Working Group comprises addressing the need for native-performance code on the Web in applications ranging from 3D games to speech recognition to codecs—and in any other contexts in which a common mechanism for enabling high-performance code is relevant—by providing a standardized portable, size-, and load-time-efficient format and execution environment that attempts to maximize performance and interoperate gracefully with JavaScript and the Web, while ensuring security and consistent behavior across a variety of implementations.
 
Since the inception of the Web, various technologies have been developed to allow “native” applications on the Web. Techniques such as user consent with digital signatures and Virtual Machines with different capabilities than JavaScript failed to be robust in the face of increasingly high security requirements. Later efforts like Native Client, which featured robust security, failed to achieve cross-browser adoption. Cross-compilation to JavaScript using Emscripten, especially using the machine-optimization subset called asm.js, achieved some degree of success. However, consistent cross-browser performance, shared memory threads, and other machine features have proved elusive.
 
The WebAssembly format and execution environment address the shortcomings of those previous efforts.

This document provides a standardized IoT Reference Architecture using a common vocabulary, reusable designs and industry best practices. It uses a top down approach, beginning with collecting the most important characteristics of IoT, abstracting those into a generic IoT Conceptual Model, deriving a high level system based reference with subsequent dissection of that model into the four architecture views (functional view, system view, networking view and usage view) from different perspectives.

The standard provides guidelines for the security standards of organizational information and information security management practices, including the selection, implementation and management of controls, taking into account the risk environment for the security of the organisation information.

The standard defines the specific guidelines for the management of digital data which are the identification, collection, acquisition and preservation of digital evidence that can be of probative value. This standard provides guidance to individuals regarding common situations encountered during the processing of digital data and assists organizations in their disciplinary procedures and in facilitating the exchange of potential digital evidence between jurisdictions.

The international standard specifies the technical characteristics for the preparation of digital documents. It also outlines the requirements for software editing tools and methods to check that digital editing has been completed safely.
The guidelines for the preparation of information deriving from databases are not included in the standard.

The international standard specifies the technical characteristics for the preparation of digital documents. It also outlines the requirements for software editing tools and methods to check that digital editing has been completed safely.
The guidelines for the preparation of information deriving from databases are not included in the standard.

The standard provides a guideline on the mechanisms to ensure that the methods and processes used in the investigation of information security incidents are "fit for purpose". It contains the best practices regarding the definition of the requirements, the description of the methods, and demonstration of how the implementation of the methods can satisfy the requests. It also includes considerations on how vendors and third parties can be used to help this warranty process.

This standard provides a guide for the analysis and interpretation of digital data in a way that highlights problems related to continuity, validity, reproducibility and repeatability. It encompasses the best practices for selecting, designing and implementing sufficient information analysis and registration processes to allow processes to be subjected to independent review if necessary. It also provides guidance on the appropriate mechanisms to demonstrate the professionalism and competence of the investigation team.

Describes guidelines based on idealized models for common incident investigation processes across various incident investigation scenarios involving digital evidence.

The mission of the Web Authentication Working Group, in the Security Activity is to define a client-side API providing strong authentication functionality to Web Applications.
 
The Working Group will determine use cases that the API needs to support and use these to derive requirements. Success will be determined by the implementation of API features as defined in this section of the charter.
 
API Features in scope are: (1) Requesting generation of an asymmetric key pair within a specific scope (e.g., an origin); (2) Proving that the browser has possession of a specific private key, where the proof can only be done within the scope of the key pair. In other words, authentication should obey the same origin policy.
 
Dependencies exist on the Credential Management API in the W3C Web Application Security Working Group along with the Client To Authenticator Protocol specification in FIDO.
 
Note that the details of any user experience (such as prompts) will not be normatively specified, although they may be informatively specified for certain function calls.
 
The Web Authentication Working Group should aim to produce specifications that have wide deployment and should adopt, refine and when needed, extend, existing practices and community-driven draft specifications when possible. The APIs should integrate well with Web Applications and so should be developed in concert with Web Application developers and reviewed by the Web Application Security and Web Applications Working Groups.
 
Comprehensive test suites should be developed for the specification to ensure interoperability. User-centric privacy considerations of device management and credentials should be taken into account. The Working Group may produce protocol standards as needed by the API.

The mission of the Web Application Security Working Group is to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross-site communication.
 
Modern Web Applications are composed of many parts and technologies. They may transclude, reference or have information flows between resources at the same, related or different origins. Due to the historically coarse-grained nature of the security boundaries and principals defined for such applications, they can be very difficult to secure.
 
In particular, application authors desire uniform policy mechanisms to allow application components to drop privileges and reduce the chance they will be exploited, or that exploits will compromise other content, to isolate themselves from vulnerabilities in content that might otherwise be within the same security boundaries, and to communicate securely across security boundaries. These issues are especially relevant for the many web applications which incorporate other web application resources (mashups). That is, they comprise multiple origins (i.e., security principals).
 
Areas of scope for this working group include:
 
Vulnerability Mitigation

• Vulnerabilities are inevitable in sufficiently complex applications. The WG will work on mechanisms to reduce the scope, exploitability and impact of common vulnerabilities and vulnerability classes in web applications, especially script injection / XSS.

Attack Surface Reduction
 
The WG will design mechanisms to:

• Allow applications to restrict or forbid potentially dangerous features which they do not intend to use
• Govern information and content flows into and out of an application
• Allow applications to isolate themselves from other content which may contain unrelated vulnerabilities
• Sandbox potentially untrusted content and allow it to be interacted with more safely
• Uniquely identify application content such that unauthorized modifications may be detected and prevented
• Replace or augment injection-prone APIs in the browser with safer alternatives using strategies such as sanitization, strict contextual autoescaping, and other validation and encoding strategies currently employed by server-side code.

Secure Mashups
 
Several mechanisms for secure resource sharing and messaging across origins exist or are being specified, but several common and desirable use cases are not covered by existing work, such as:

• Allowing child IFRAMEs to protect themselves from "clickjacking"
• Providing labeled information flows and confinement properties to enable secure mashups. This is especially relevant for, e.g. applications communicating between security principals with different user-granted permissions (e.g. geolocation)

Manageability
 
Given the ad-hoc nature in which many important security features of the Web have evolved, providing uniformly secure experiences to users is difficult for developers. The WG will document and create uniform experiences for several undefined areas of major utility, including:

• Treatment of Mixed HTTPS/HTTP Content and defining Secure/Authenticated Origins for purposes of user experience, content inclusion/transclusion and other information flows, and for features which require a verifiably secure environment
• Providing hinting and direct support for credential managers, whether integrated into the user-agent or 3rd-party, to assist users in managing the complexities of secure passwords
• Application awareness of features which may require explicit user permission to enable.

The Web Security Model
 
The WG may be called on to advise other WGs or the TAG on the fundamental security model of the Web Platform and may produce Recommendations towards the advancement of, or addressing legacy issues with, the model, such as mitigating cross-origin data leaks or side channel attacks.
 
In addition to developing Recommendation Track documents in support of these goals, the Web Application Security Working Group may provide review of specifications from other Working Groups, in particular as these specifications touch on chartered deliverables of this group (in particular CSP), or the Web security model, and may also develop non-normative documents in support of Web security, such as developer and user guides for its normative specifications.

It is currently difficult to express banking account information, education qualifications, healthcare data, and other sorts of machine-readable personal information that has been verified by a 3rd party on the Web. These sorts of data are often referred to as verifiable claims. The mission of the Verifiable Claims Working Group is to make expressing, exchanging, and verifying claims easier and more secure on the Web. This charter focuses on use cases for education.