OWASP Global AppSec Lisbon 2024

From a distance, it can feel like standards float down from a tall ivory tower to become the received law by us mere mortals. They're a basis for building software and defenses, but once they're established, there's not much to do about it other than to look forward to the next one whenever it comes down from on high.

In reality, standards are produced by software engineers just like any piece of software. These days, standards groups work hard to welcome anyone who puts in good technical work, regardless of where you come from or who you work for, just like any well-run open source project.

Standards are a great complement to open source software, especially when you need to evaluate or coordinate multiple implementations. This is why the Internet is built atop them. As explained in "The Tangled Web," the differences between implementations often constitute security issues themselves, and standards aim to reduce those differences by providing a common point for everyone to target. Standards can also facilitate communication to help widely distribute crucial security fixes.

We're going to need security experts like you to help us develop strong defenses in standards, many of which are in development across a wide range of technologies today. In this talk, I hope to convince you to consider getting engaged in this process by showing you some exciting current issues at the intersections between standards and security. We'll talk about JavaScript, standardized in Ecma TC39, and the new Ecma TC54 to standardize CycloneDX. You'll learn what kind of help is needed by the security standards community, and how you can get involved.