EU cybersecurity body urges Web security review

update Existing Web standards that determine Web and browser technologies are "reaching point of no return", said the European Network and Information Security Agency (Enisa). To strengthen security-in-design of upcoming next-generation Web technologies, it is proposing improvements to 13 specifications, including HTML5.

The European Union's cybersecurity watchdog published a paper last Sunday recommending the review and improvement of 13 World Wide Web Consortium (W3C) specifications covering HTML5, cross-origin communication interfaces, device application programming interfaces (APIs) and widgets.

Elaborating, Enisa said the Web browser is "arguably the most security-critical component in our information infrastructure" as it has become the channel through which most of the world's information passes.

"Banking, social networking, shopping, navigation, card payments, managing high value cloud services and even critical infrastructures such as power networks--almost any activity you can imagine now takes place within a browser window," it stated.

This, in turn, has made browsers an increasingly "juicy target" for cybercriminals, Enisa noted. To back up its observation, the paper pointed out that the volume of Web-based attacks per day increased by 93 percent in 2010 compared with the year before.

However, many of the existing standards governing Web and browser technologies are "reaching a point of no return" and if there is no review and improvement in the 13 specifications identified, the opportunities for "security-by-design will be lost". This is because once the current suite of new standards reach recommendation status within W3C in 2014, it will be "non-negotiable for several years to come", the agency stated, pointing out that the current iteration of HTML has been unchanged since 1999.

Enisa's recommendations focus on controls functionality, permission system design, end-user policing and more detailed user interface requirements, among others.

The W3C has welcomed Enisa's recommendations, according to a Monday report by technology news site ComputerWeekly.com. "We have encouraged Enisa to report the issues it has identified to the relevant W3C Working Groups," said Thomas Roessler, W3C's security lead.

Security vendor Symantec also received Enisa's proposals positively. Ng Kai Koon, senior manager of legal and public affairs at Symantec Singapore, noted that with the increasingly treacherous and rapidly evolving threat landscape, the company "welcomes any initiatives by government agencies that help improve [the overall] cybersecurity posture".

"We believe that cultivating a strong public-private partnership plays an important role in enhancing security awareness, and are committed to sharing insights and best practices to help develop national capabilities for governments to defend essential and critical infrastructure from internal and external threats," Ng added.