The European Web Security Roadmap is the final deliverable of the STREWS project. It is the result of three years of work, including workshops and case studies. It contains an extensive overview of current practice, research and standardisation, as well as the gaps between them.

Summary

The document thoroughly assesses the current state of web application security in respect to state-of-the-practice, state-of-the-art, research, and standardisation, with special attention to the European aspect. Using the collected data, it then defines a near to mid-term research roadmap for Web security.

It collects areas of Web security which are still underdeveloped, identifies missing pieces in the research landscape, and points out promising directions for future research. In addition, it explores connections between research and standardisation, as well as existing mismatches in that area.

This way, the document provides the big picture on the field of Web security research and it will aid the decision-making process, when it comes to creating new research/standardisation actives and future research projects and work programs.

The document has two parts:

Part I

Part I defines a systematic methodology for data collection and analysis. The methodology is based on five well-defined objectives, directly derived from the STREWS mission statement:

  1. Identify significant gaps between the state-of-the-practice and current research results.
  2. Identify mismatches between standardisation & research activities and the needs of the Web’s practitioners.
  3. Identify the emerging topics and future hot spots of Web security.
  4. Map standardisation and research efforts to the observed emerging topics in Web security. Identify topics that require further attention.
  5. Obtain current information on the state of European research in the field of Web security.

A total of ten distinct data sources were selected:

  • The State-of-the-Practice in today’s Web software
  • Selected empirical studies
  • Observable gaps between the State-of-the-Art and the State-of-the-Practice
  • Interactive survey
  • Review of related NoE and Policy activities
  • STREWS Workshops
  • Standardisation activities
  • STREWS Case Study 1: WebRTC
  • STREWS Case Study 2: Web Security Architecture
  • Cybersecurity

Part II

Each of the data sources is explored in depth in Par  II. The sum of the collected reports provides a comprehensive overview on the current state of web application security and web application security research.

In a second step, the document identifies and explores the emerging and hot topics in web security that require future attention from research, practice and standardisation, namely:

  • client-side complexity,
  • JavaScript sandboxing,
  • server-driven security policies,
  • JavaScript crypto and hardware tokens,
  • the end of the client-server paradigm,
  • Web privacy, and
  • advancing Web authentication and session tracking.

Finally, the collected insight pinpoints the upcoming security research challenges for the European Web:

  • Challenge 1: Revisiting classic attacks
  • Challenge 2: Handling the extending web paradigm
  • Challenge 3: Realizing real end-to-end security
  • Challenge 4: Increasing End-user Security and Privacy

The combination of the identified emerging topics and the overarching research challenges results in an exiting and promising research roadmap for the mid to long term. We expect, that following this roadmap will lead to impactful results, which address the future security problems of the Web, while being well suited to be adopted by practitioners and standardisation.