Not much happened. Me and Mario (who sadly ended up missing the conf) came up with a Google Docs spreadsheet noting some interesting security-relevant differences among browsers – then I realized the Google Browser Security Handbook made the data gathering look really half ass. Then we came up with another few initiatives that I later thought were too confrontational to pursue further (an open letter to the browsers, etc).
I would strongly encourage you to do this, though. In 2008 we created a Google Docs spreadsheet noting security features provided by programming frameworks (J2EE, .NET, ColdFusion, etc.). This led to some phone calls with Adobe and some frank communication with other vendors, hopefully effecting more change (some of it is still in the works) than I thought would be possible. Just don’t make it too confrontational, and I think you’ll do a lot of good.
FYI I think a lot of people lose credibility with browser/vendor folks by overstating risks. The browsers are guilty of 1,000,000 misdemeanors but not many real crimes.
I would like to see work continue where Arshan left off (or is
currently at). Would this make more sense as part of a current track
or a new one?
I'll work on compiling links of the work done thus far. I'm still
looking for feedback on how to integrate it with the discussions at
the OWASP summit.
@Gareth Nice! How did you come up with that list to begin with?