Developer challenges in handling security
dontcallmedom opened this issue · 3 comments
As input to the Secure the Web Forward W3C workshop, the program committee has been discussing gathering data on how developers handle security challenges for their Web applications.
Category of pages: JS, Web APIs, HTTP; if possible, security-related pages
Ideally, the survey would run in April to leave enough time to process the results as input to the workshop (scheduled June 7-8).
Survey prompt before expanding: Help inform what new technologies, tools or guidance could help secure your Web content and applications!
Question 1: To keep your Web app and its users safe from security vulnerabilities, rate how easy or challenging are the following aspects:
- understanding security threats and how they might apply to your web application
- understanding the security model of Web browsers (e.g. same-origin policy, CORS, permissions policy)
- keeping up to date the frameworks and libraries your app depends on
- integrating safely third-party services (e.g. login, payment)
- configuring the server to match the required security properties (e.g. SSL, HTTP headers)
- detecting security vulnerabilities introduced in your development workflow (e.g. cross-site scripting)
(options provided in random order, with rating from "very easy" to "very challenging")
Question 2: What are the other main security-related challenges you're facing when developing and deploying Web content?
s/To keep... same/To keep... safe
I read question 2 as the open-ended version of question 1. If I need to spend time rating the 6 different options of question 1, I would probably pick up the option I rated as most challenging to answer question 2, simply because I'd have these options loaded in my brain. Would it be better to ask for "other" security-related challenges? Or am I misreading question 2?
Thanks, I've updated the proposal in-line to reflect your suggestions.
as discussed yesterday, feedback on this proposal is expected by Thu Apr 20 EOB AoE at the latest. Earlier feedback would be much appreciated.