As part of the OWASP EU Tour 2013, there will be a special event in London next month, along the lines of the recent ones in Cambridge and Leicester.

The one day conference is being held in central London on Monday 3rd of June 2013 at the Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY. The nearest tube station is Holborn. It is free to attend and is open to all, but registration is required as numbers are limited to 100.

The agenda is still being finalised, but OWASP Ireland chapter leader Fabio Cerullo is presenting PCIDSS for developers, OWASP Cambridge chapter leader Steven van der Baan will be talking about simple steps for secure coding, and OWASP London chapter leader Justin Clarke will be speaking about securing development with PMD, the popular Java code scanning tool. I will be introducing and demonstrating OWASP Cornucopia. A very developer-orientated agenda so far.

The EU Tour continues to OWASP chapters in Barcelona, Bucharest, Belgium, Denmark, Dublin, Lisbon, Netherlands and Rome. Other locations will be added in due course.

Cornucopia Ecommerce Website Edition v1.00 was uploaded to the OWASP website in February and has now been upgraded to a full OWASP project.

Today, I have completed the new OWASP Cornucopia Project pages which include:

• Description and objectives
• Presentation given at OWASP Netherlands in March
• Links to all the references files, including a new security coding practice requirement identities, created last week
• Instructions on how to play
• Frequently asked questions
• Acknowledgements
• Road map and how to get involved
• Link to the PCISSC information supplement for PCIDSS referencing Cornucopia

Please let me know if you think I can add anything of use to the project pages.

I am also working on some minor updates to the ecommerce website edition's documentation and deck. I will be presenting the project at an event in London shortly.

OFCOM, the UK communications sector's regulator and competition authority, has announced a report on adults' use of media and attitudes.

The Adults' Media Use and Attitudes Report 2013 (complete 181 page print version) discusses media literacy, take-up, preference and media use, understanding, attitudes and concerns, use of the internet and mobile phones, and users in three class — new, "narrow" and non-users.

There is a wealth of valuable data for strategic planning and marketing purposes, but also useful information on security and safety habits and attitudes to regulation of the internet. If you need information to help support decisions around security and usability, this report will have something of use to you.

It is this weekend's best read.

BT has announced a trial of its Carrier-Grade Network Address Translation (CGNAT) where Internet Protocol (IP) addresses will be shared between subscribers.

Concerns have been expressed about the ability for some application to work if they rely on the assumption that IP addresses are unique, and also how this affects the identification of individual people.

Out-law.com provides a good review of the issues and information from BT, but links to the sources are not provided. BT has apparently stated they will still be able to identify individuals despite using CGNAT.

But the issue of identification does not only relate to newsworthy "illegal online activity" but also for wider privacy protection of completely legal activity where it is clear that IP addresses really must be considered as personal identifiers, especially when they can be combined with other data sets. Something to be considered in privacy impact assessments.

The UK Cabinet Office has announced a consultation into the proposed cyber risk management standard for organisations as part of its cyber security strategy announced in November 2011.

The proposed guidance and accompanying call for views and evidence define Cyber security as "preservation of confidentiality, integrity, and availability of information in cyberspace" and cyberspace quite broadly as "complex environment resulting from the interaction of people, software, and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form".

The UK Government intends to select and endorse an organisational standard that best meets the requirements for effective cyber risk management. The current proposal outlines requirements for a standard, its objectives, outcomes, auditable requirements and controls in "at least" the following areas:

• Network security
• Malware prevention
• Secure configuration of information systems
• Monitoring
• Removable media
• Home and mobile working
• Managing user privileges
• User education and awareness
• Incident management.

So, somewhat disappointing that application security isn't mentioned, but those requirements pre-date this consultation - about the choice of an existing standard to follow.

Responses can be sent by email to cybersecurity@bis.gsi.gov.uk or by post to Cyber Security Team, BIS, 1 Victoria Street, London SW1H 0ET. The closing date to submit evidence is 14 October 2013.

Following the success of similar events in Latin America, a rolling tour of events with OWASP speakers will be occurring in European Countries, beginning with Cambridge this month.

This first event of the tour has been organised in conjunction with Anglia Ruskin University's Department of Computing and Technology for Monday 13 May 2013.

The agenda lists all the speakers:

• Adrian Winckles, OWASP Cambridge Chapter Leader & Senior Lecturer
• Ross Anderson, Cambridge University Computer Laboratory
• DI Stewart Garrick, Metropolitan Police ECrime Unit
• Justin Clarke, OWASP London Chapter Leader
• Eoin Keary, OWASP Board Member
• Steven van der Baan, OWASP Cambridge Chapter Leader
• ... and myself.

I will be speaking about application security vulnerability severity ranking and prioritisation. This will be of use if you have to create or consume vulnerability assessments and penetration test reports, or are involved in patch management or PCIDSS compliance.

Thank you to Fabio Cerullo and the OWASP team who made this tour happen.

The event runs from 11:00 to 17:15 hrs and is located in LAB 002, Lord Ashcroft Building, Anglia Ruskin University, Cambridge. It is free to attend, but advance registration is required.

Last week the UK's Department for Business Innovation & Skills published the 2013 Information Security Breaches Survey, created in conjunction with PwC.

The report presents the results of the survey and breaks the findings down for larger (>250 staff), medium and smaller (<50 staff) organisations. The term "cyber" appears 15 times and "APT" only once, so is generally hyperbole-free.

The most interesting data points for me are:

• 18% of "worst breaches" related to websites and internet gateways, and 4% to breach of laws/regulations
• For all breaches, operation disruption typically lasts a week, with 2-4weeks FTE effort responding to the incident, and a quarter of incidents leading to lost business
• Reputation losses were estimated to be between £10,000 and £100,000.

The report is available to download in full free of charge without registration.

I have just had time to catch up on my attendance and participation at Security B-Sides London 2013.

This community-led event was held at the town hall of the Royal Borough of Kensington and Chelsea on Wednesday 24th April, and was supported by a large number of speakers, educators, volunteers and sponsors. It was an extremely well organised, and useful, day.

Following the very well attended welcome and introduction from the B-Sides London crew, I went to an immensely valuable and engaging presentation by David Rook (aka Security Ninja) on how he introduced and developed an application security programme at his employer Realex Payments. He has got to the point where customers are approaching his company to act as a payment services provider due only to their knowledge of Security Ninja, and so the marketing department kindly designed cartoon-style presentation slides (like the one illustrated above). They also had these printed as booklets to hand-out to those attending the talk at B-Sides London. David described what was done, how it was achieved, and things he would approach differently in hindsight. I won't spoil the plot for you as you will be able to read the booklet yourselves (keep an eye open for a blog post (now available).

After this, I went down to the new Rookie Track where new presenters had been given support through mentoring to give 15-minute presentations. Firstly I listened to Artjom Vassiljev describe how he has built software security testing checks into a continuous integration process with Jenkins.

Following a quick coffee break and catch up with some friends & acquaintances, I returned to the Rookie Track and listened to Diarmaid McManus describe a new Eclipse plugin called ESP he has been working on to help integrate code review checks into developer's coding tools.

Ksenia Dmitrieva provided an introduction to HTML5 risks and gave explanations and examples of common attacks. She also explained the preventative measures which should be used to protect against these issues.

Post lunch, I tracked down Dinis Cruz and we set up our workshop on using OWASP O2 to visualise OWASP AppSensor behaviour. I introduced the concept of application-specific attack detection and response, and described how the ideas might be retrofitted relatively simply to an existing web application such as the bulletin board software phpBB. A review of phpBB's inherent capabilities and logging provide a useful hook for detection points, and responses can include adding users to phpBB's list of "banned IPs" and blocking IPs at the operating system level. Dinis continued with a live demo of the AppSensor demo application, created by Michael Coates, and then he went on to show how AppSensor's new web services Java code can be called directly from within a .Net application TeamMentor.It was good to bounce ideas off the workshop participants and get their thoughts and suggestions on the practicalities of implementing AppSensor-like capabilities.

Finally I saw Gavin Holt talking about "NoSQL & Big Data - A Way to Lose Even More Stuff" in which he described the common weaknesses in using NoSQL and attacks that attempt to access such systems and their data. I really liked the 15minute format on the Rookie Track and all three speakers I heard were really good.

Overall, an excellent day. Many thanks to the very professional B-Sides London team in particular for making sure it all happened.

Update 30th April 2013: Link to Security Ninja's slides added. Ksenia Dmitrieva's talk added.

The Verizon 2013 Data Breach Investigations Report has been published drawing on data from 19 organisations including the European CyberCrime Center.

The report includes information on 621 confirmed data breaches, the majority of which were financially motivated crime, followed by state-affiliated espionage. Although 93% of the breaches were attributable to outsiders, a significant proportion (14%) were attributable to insiders alone or insiders working with external agents. Attempts to intentionally access or harm information assets without authorisation by circumventing or thwarting logical security mechanisms (labelled "hacking" in the report" accounted for 52% of incidents. Of these, 22% related to the use of web applications.

The report can be downloaded free of charge without registration.

Next week Dinis Cruz and I will be running an AppSensor workshop at Security B-Sides London 2013.

We will be demonstrating and helping attendees of the workshop specify, define and implement application-specific attack detection and real-time response. Our agenda is:

• OWASP AppSensor concept
• Attack detection exercise
• Real world implementation
• Alternative deployment models

We'll be using paper-based materials and real code demonstrations (in .Net, Java and PHP), so just bring your brains along. The workshop is being run from 14:00 to 15:30 hrs on Wednesday April 24th 2013 and can be booked on arrival at the event. It is available on a first come, first served basis. Security B-Sides London is a community-driven free event but requires registration, but due to overwhelming demand there is a waiting list.

We hope to see you there.