Notes from security workshop

• lots of support for a standard "Security considerations" section in reference docs, like we have for accessibility
• what are the key FE security concerns, and what is the impact? Most people are not security experts and even a basic checklist - 5 things to be careful about - would be a big step forward for most people
• security community has terms of art and some gatekeeping. Should aim to make security more accessible to people, and not act like it is someone else's problem.
• can we incorporate security advice inside IDEs and devtools
• can we have demos of security problems, to make them less abstract?
• companies don't want to invest in security, especially if their websites just work
  • if web shops are delivering to e.g. banks, then they should ask the companies to care.
  • security regulation (https://en.wikipedia.org/wiki/Cyber_Resilience_Act) will make a big difference - but what exactly are the best practices going to be? We can help inform regulation here. Like WCAG but for security?
• need to document end user impact: the why, and the potential harm, to help devs (and their managers) understand the value of good security practices
• there is potentially a lot of overlap between improved MDN security docs and the work Ben is planning with the OpenJS Foundation (https://www.w3.org/2023/03/secure-the-web-forward/papers.html#roadmap) and they might be open to collaborating?