Yes, had you forgotten it's Data Privacy Day tomorrow? See StaySafeOnline for events in the US and Canada. Not sure why it's a Saturday — maybe to give the weekend journalists a story they can prepare in advance, and then take the day off.

While there is a programme of events, data protection has been in the news this week following the publication on Wednesday of the European Union's proposed reform of data protection legislation, promoted under the banner of aiming:

There has been extensive documentation and justifications published to accompany the draft directive. There is of course plenty of coverage elsewhere, and I would recommend reading the following:

• Initial response from the ICO on the European Commission's proposal for a new general Data Protection Regulation, UK Information Commissioner's Office
• EDPS welcomes a "huge step forward for data protection in Europe", but regrets inadequate rules for the police and justice area European Data Protection Supervisor
• Pan-EU consistency in data protection reform welcome, but burden on business a problem, says expert, Out-Law.com

So, what does it mean? For now, these are just proposals, and what will eventually be made into law will be something very different. But it does indicate the way things are going, and is a reminder to website and application owners & developers of the need to take privacy considerations into their projects now, since the cost of changes later may be prohibitive. And, they should be doing this already, but there may be more obligations for those processing personal data in the future. There is potentially more complex functionality required for tracking consent, achieving data portability, handling withdrawal of consent and undertaking data removal.

And, there is the topic of mandatory notification of "serious" breaches.

Data Privacy Day might be a day of reading after all.

The proposed new European Data Protection Directive will be announced tomorrow.

Apart from the leaked draft document, there has been plenty of comment (e.g. here, here and here), Viviane Reding, Vice-President of the European Commission, has also been speaking up.

Meanwhile IAB Europe has been busy behind the scenes discussing online behavioural advertising (OBA) and IAB USA has been blogging about its self-regulatory programme. Lots happening then with privacy, advertising and online marketing.

We will find out tomorrow if the leaked document was representative of the final proposals.

After attending the London Web Performance Testing Group on Wednesday evening, I went along to the London Android Group (londroid) at Skills Matter.

Mixing Native and Web Technologies, Oh My included three presentations/demonstrations. Great stuff.

Dave Springgay spoke about his experiences at News International developing highly crafted news apps which provide high quality and high performance on native mobile operating systems. He explained their use of HTML5, Android WebView and Java bridging to use JavaScript to inject content (mainly JSON) directly into pre-built HTML templates which are customised for each device, and which can be updated without re-deploying the app.

Jonathan Anthony provided an overview of the advantages of building mobile applications as webapps, using PhoneGap, using Titanium, and finally as native apps. He explained the latter of course give the best performance, better graphics and access to all the hardware APIs (with geo-location and camera being the most popular) along with the ability to have an icon on the desktop, but come at a cost due to the higher rates for developers, and the need to develop for at least two operating systems (i.e Android and the other one). He thought that for many apps, a webapp should be considered, due to speed of development and the cross-platform capability making them perhaps a quarter of the price.

Finally, Doug Chisholm and Clinton Smith described the capabilities of appsplash to develop cross-platform applications using their custom development platform.

So that's the technologies presented, but jQuery Mobile and jQTouch were also mentioned. Plenty to keep tabs on.

One of the benefits of being in central London during the week is the number of events it is possible to attend.

With too much choice, it is sometimes possible to miss opportunities to expand your knowledge, but yesterday I took the opportunity to attend for the first time, a meeting of the London Web Performance Group being held at the London Canal Museum near King's Cross.

David Burns spoke about web performance testing and continuous integration. He described how he had developed processes for building web performance testing into development processes and is now able to do this with continuous integration.

Although initially this began by asking helpdesk staff to time the loading of web pages using stop watches (long ago in 2006), he now uses Selenium Web Driver in combination with BrowserMob Proxy. The latter allows data export in the HTTP Archive format (HAR) (more information). This data can then be viewed, aggregated and analysed. The long Q&A session provided plenty of time for discussion of the techniques, how Ajax can be monitored, and alternative methodologies.

Perhaps there are some ideas here to investigate for security testing.

Future meetings of this group will be looking at Ajax, and performance testing of mobile applications. I have joined the group to receive future announcements.

I have to thank Alexis Fitzgerald for pointing out this weekend's reading — the latest edition of the Global Risks report from the World Economic Forum.

All 50 risks examined in this year's Global Risks 2012 - Seventh Edition fall in the high-impact and high-likelihood areas. This year cyber attacks have been identified as one of the top five risks in terms of likelihood. However it terms of impact, issues like major systemic financial failure, water supply crises, food shortage crises, chronic fiscal imbalances and extreme volatility in energy and agricultural prices have much greater effect.

The rising issue of cyber attacks is related to the ability for this to be undertaken remotely and anonymously, as well as the much increased "hyperconnectivity" of systems. The objectives of cyber attacks are stated as sabotage, espionage and subversion (e.g. spreading false information and denial of service attacks).

This isn't a report for the micro-scale, but examines risks from the perspective of the world and nation states. However, that isn't to say that larger companies and other organisations can't learn something from the report. A detailed analysis of last year's earthquake in north-east Japan, identifies how more highly-networked businesses (with distributed leadership, is loosely coupled, has dispersed workforces, has cross-trained generalists and guides by simple but flexible rules) fared better than more hierarchical centralised policy-driven tightly coupled ones. The questions for stakeholder on page 35 are good tips for consideration in developing and updating incident response and disaster recovery plans — whatever the scale of the organisation or system.

The report may also be of interest to those involved with sector-wide bodies for encouraging building resilience into their member organisations. On that subject, the US Department of Energy and Department of Homeland Security have announced a new initiative to develop best practices in the form of a cyber security maturity model for the electricity sector.

If this global risk is your thing, you may also want to have a look at the Cyber Power Index which attempts to benchmark the ability of the G20 countries to withstand cyber attacks and to deploy the digital infrastructure needed for a productive economy.

Gartner published its report Magic Quadrant for Dynamic Application Security Testing (DAST) at the end of December.

The report is currently available to download free of charge if you register on Veracode's website. But it looks like if your turnover is less than $500 million, or say it is, the sales folk may be less likely to bother you.

The report is a useful summary, but I don't think it does enough to highlight the need for DAST to be just one part of a mix of activities contributing to a secure software development lifecycle, and therefore more secure applications. There's plenty of activity out there combining developer training, secure coding guidelines, vulnerability management, web application firewall dynamic patching and static analysis techniques too.

Veracode has previously published significant data about software security in volumes 1, 2 and 3 of their State of Software Security Report.

In Volume 4 of State of Software Security Report additional analysis has been possible due to the larger data set available. In this volume emphasis is given to the analysis of the (primarily US?) governmental sector, as well as more data on the effect of developer training and education on software security. On this Veracode report that a "high level of application security knowledge also delivered higher security quality applications". That's encouraging since developer training is one of the first areas where effort should be expended in creating a secure software development lifecycle programme.

On of the other interesting conclusions was the potential fast turnaround for remediation and re-testing to solve problems suggesting that "development agility and application security are not mutually exclusive".

Cross-site scripting continues to be the most prevalent vulnerability overall — there was an interesting discussion last week about what this means in terms of business impact on the Web Application Security - From the Start blog.

Volume 4 also includes some initial results on static code analysis of Android applications. If you are developing mobile applications, do read the OWASP Mobile Security Project's Top 10 Mobile Controls and Design Principles.

Happy new year. Planning your diary already? Looking for the best European conference for information about application security?

Europe's premier application security conference, AppSec EU, is being held in Athens, Greece, from 10th to 13th July 2012. As in Stockholm two years ago, this event has a research theme, but there will be plenty of practical information, advice and application security training.

In May I participated in the OWASP Greece chapter Training Day in Athens and was overwhelmed by the level of attendance from the enthusiastic and knowledgeable development community. I am sure the sponsorship opportunities and tickets will be snapped up quickly.

AppSec EU Research 2012 is being hosted by the Department of Informatics and Telecommunications of the University of Athens.

Another report from the European Network and Information Security Agency (ENISA) highlights deficiencies in the maritime sector.

The study's report Cyber Security Aspects in the Maritime Sector discusses that while there is increasing knowledge concerning physical security and crew safety, maritime cyber security awareness is low to non-existent. The situation is made worse by fragmented responsibilities, lack of incident information, and missing legislation in this area.

A relatively quick read if you are active in the sector.

Further to my previous notes about HTML 5 security, a superb reference document was published earlier this month.

Michael Schmidt (Compass Security) wrote his master's thesis about HTML5 security in May 2011 and has published an extract for everyone to access.

HTML5 Web Security describes issues, vulnerabilities, threat & attack scenarios and countermeasures across 80 pages including numerous well thought-out diagrams, and is backed up with detailed references and an appendix full of attack details.

The main sections are:

• 2.2 Cross-origin resource sharing
• 2.3 Web storage
• 2.4 Offline web application
• 2.5 Web messaging
• 2.6 Custom scheme and content handlers
• 2.7 Web sockets API
• 2.8 Geolocation API
• 2.9 Implicit relevant features of HTML5
  Web workers, new elements, attributes and CSS, Iframe sandboxing and server-sent events

If you are already developing HTML, or planning to, read this document as soon as possible and update your requirements documents, specifications, design documents, coding standards, and test plans to incorporate the knowledge.

The document would be worth buying if it were a book, but it has generously been made available publicly. Yes, I am still reading the document, and so far have only one very minor complaint — it would be good to have a content list. Maybe in version 1.1?