Security News > 2021 > March > Google engineer urges web devs to step up and secure their code in this data-spilling Spectre-haunted world

Google engineer urges web devs to step up and secure their code in this data-spilling Spectre-haunted world
2021-03-08 23:22

Now web security professionals are asking developers to do their part by recognizing that Spectre broke the old threat model and by writing code that reflects the new one.

Last month, Mike West, a Google security engineer, drafted a note titled, "Post-Spectre Web Development," and Mozilla's Daniel Veditz of the W3C's Web Application Security Working Group asked the group to come to a consensus on supporting the recommendations.

West argues that Spectre demonstrated the assumptions of the web security model need to be rethought, for both browser vendors and web developers.

Citing post-Spectre Chromium project guidelines, he said the open source browser project now assumes that "'active web content will be able to read any and all data in the address space of the process that hosts it.

Third, web devs should prevent attackers from framing website data using framing protections.

Now it's just a matter of convincing web devs to take the time to make sure their code is secure.


News URL

https://go.theregister.com/feed/www.theregister.com/2021/03/08/post_spectre_programming/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 102 256 4320 4678 741 9995