Google engineer urges web devs to step up and secure their code in this data-spilling Spectre-haunted world

2021-03-08 23:22

Now web security professionals are asking developers to do their part by recognizing that Spectre broke the old threat model and by writing code that reflects the new one.

Last month, Mike West, a Google security engineer, drafted a note titled, "Post-Spectre Web Development," and Mozilla's Daniel Veditz of the W3C's Web Application Security Working Group asked the group to come to a consensus on supporting the recommendations.

West argues that Spectre demonstrated the assumptions of the web security model need to be rethought, for both browser vendors and web developers.

Citing post-Spectre Chromium project guidelines, he said the open source browser project now assumes that "'active web content will be able to read any and all data in the address space of the process that hosts it.

Third, web devs should prevent attackers from framing website data using framing protections.

Now it's just a matter of convincing web devs to take the time to make sure their code is secure.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/03/08/post_spectre_programming/

#devs #google #spectre #WEB

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Google		141	994	4851	2756	1634	10235