It is very common to find web applications where part of the business process, not just acknowledgements, is undertaken using electronic mail. These processes need to be designed securely and tested as well.

I've mentioned previously in Keep The Emails Coming about testing email alerts used for errors, problems and other unusual conditions, but it's common for email also to be used as a short-cut for developing some parts of business processing.

A recent project I was working on included an link to unsubscribe from marketing emails. Clicking on the link gave a slightly sparse single phrase confirmation—not particularly usable and it didn't validate me in any other way or notify me of the change by anything other than the screen message, but it was probably okay for the type of system.

However, within a few minutes I had received another email - an auto-responder:

Very interesting. What does this tell us?

• There is an administration mailing list
• The unsubscribe process sent a message to the administration list with my email address as the sender
• Posting to the list is restricted to certain people, and thus could be a way to identify administrator's email addresses
• The list may be using Mailman, the GNU Mailing List Manager
• The list administration address begins with /mailman/confirm/admins_******/

And, I suppose the implication is my email address has not been removed from the mailing list yet.

If this were a web application penetration test, it might be that some of the mailing list administrative usernames and perhaps passwords are the same as for the web application. Or, content of messages in the list contains useful information to help access the web application. The email responder is sending too much information, and actually this message shouldn't be being sent to a subscriber at all, and the information leakage then stems from using the subscriber's email address as the sender.

So, remember a web application's security is only as good as its weakest link. The security architecture needs to address the whole business process, not just the web page parts.

Happy new year. In a recent edition of a mobile phone provider's newsletter for business customers, it heralded the growth of mobile applications.

Regarding Nokia's purchase of the Symbian mobile operating system and making it free to other mobile manufacturers in an attempt to combat Google's Android mobile phone operating system. The newsletter mentions that an advantage of Android being an open source platform:

Armageddon perhaps?

I've just completed one of those web forms people put in front of useful information before giving you access to gather market research data.

This was published by an information security organisation:

I'm afraid I couldn't "check all that apply" since the nice form only had radio buttons and I didn't feel inclined to edit the HTML myself. Would that have been hacking? Other questions on the same form had the same problem. It didn't instil any confidence in me about their design and testing processes.

Data quality is important. Junk data in will lead to junk answers out.

I'm thinking about whether to write some posts on my recommendations for logging, monitoring and alerting.

Much as I hate to suggest you need more monitoring, web sites and web applications shouldn't be left alone. So I'll write more about this in the new year.

In the meantime, here's my seasonal card—even Christmas trees have CCTV cameras in them now:

Seen in a London shopping centre, early December 2008.

E-consultancy.com Limited has completed their site migration to a new domain, a new platform and a new country.

In September I posted a message about moving web hosting offshore in response to the impending E-consultancy site migration.

Well the move has happened and the new domain is econsultancy.com —the "www" sub-domain and previous hyphenated "e-consultancy.com" domain redirect to the new site. I may have missed something, but as a member and contributor who agreed to the previous terms & conditions, I was expecting hear something before the move occurred.

Some users are required to agree to the new longer terms and conditions before proceeding, yet this seemed to be bypassable in some cases. I didn't have time to investigate the mechanism but noticed I wasn't asked with some browsers/computers and was on others.

There's no mention of data protection or privacy issues in the chief executive officer's blog posting about the new Econsultancy site despite all the previous discussion. I'm a little but disappointed to be honest since the web site is such a good resource for ecommerce (or e-commerce) and digital marketing professionals. The CEO does however tell us some of the technologies used—an un-necessary security information leak.

There has clearly been a lot of effort put in, and that's to be congratulated. But the privacy statement has these few words about security:

It looks like a mixture of boilerplate text and some additions. But the description and explanation why some security controls were omitted doesn't reflect good practice and is entirely insufficient for a £300,000 revamp of an ecommerce-enabled web site. Let's hope they have some sort of firewall in there somewhere!

I'm left with the feeling that perhaps security wasn't considered much during the re-development process. A missed opportunity.

Version 3 of the Open Web Application Security Project (OWASP) Testing Guide has been released after a 6-month period of addition, enhancement and review.

The OWASP Testing Guide is an ideal reference for both developers and testers—version 2 was fantastic, and this new version is even better. The testing framework now covers 66 controls and, like in the previous version, each control has a brief summary and is described in detail followed by black box (no additional knowledge) and grey/gray box (partial knowledge) testing methods and examples where appropriate.

The controls and testing methods are fully referenced to provide additional guidance and explanation.

The controls are grouped into ten categories, including new separate categories "Authorization" and "Configuration Management". I'm especially pleased to see the latter broken out on its own, since even a perfectly coded application can have vulnerabilities introduced during deployment and changes to the application.

The OWASP Testing Guide now also includes a "best practice" penetration testing framework and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues. More information is available on the Testing Project pages.

Chris Hayes has posted an important reminder of the difference between the risk of non-compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) and the risk of the defects themselves.

Read his Risk and PCI-DSS posting on Risktical Ramblings.

Cotton Traders survived a payment card data breach earlier this year and has gone on to implement tighter controls. It was not clear at the time of the breach whether they were PCI DSS compliant or not.

Chris mentions non-compliance with PCI DSS. Not many merchants should seriously consider remaining out of compliance—micro, small and medium sized enterprises in particular may not survive the consequences of a security breach followed by the effects of being found to be non-compliant.

He also refers to the Common Vulnerability Scoring System (CVSS) in his posting. It is quite a complex standardised method for rating information technology (IT) vulnerabilities and you can read his thoughts on CVSS starting at Risk and CVSS (Post 1) which highlights the dangers of applying methodologies and metrics without a full understanding of them and what aspects are being included/excluded.

For those of you planning new web projects in the new year, here are some pointers for accessibility resources to keep in mind. Accessibility is not a marginal issue—by enabling web site users to interact with your web application without hindrance increases trust, improves the accuracy of information submitted and reduces errors. These are all aspects of software quality.

Accessibility sometimes get lumped in solely with talk of disability. But lack of special aids or adaptions haven't been a significant barrier to internet usage by disabled people. Like everyone else it's cost, lack of skills and confidence. So what should we be doing for all users?

BSI British Standards is now inviting comments on a new Draft for Public Comment (DPC) BS 8878:2009, the draft standard on accessible websites (registration required). Based on the Publicly Available Specification (PAS) PAS 78:2006 Guide to Good Practice in Commissioning Accessible Websites which will ultimately be withdrawn, the final date for submissions is the end of January 2009 with an aim for the standard to be published in summer 2009. Thankfully, BSI have now published the complete documents in PDF and Word format (no registration required), since the mechanism for reading and providing feedback is an excellent example of an unusable application! The draft standard is summarised by the document's statement:

I'd add "safe" to the list.

Last week saw the Web Content Accessibility Guidelines 2.0 (WCAG) becoming a full W3C Recommendation. Key reference WCAG 2.0 Documents are:

• WCAG 2.0 at a Glance
• How to Meet WCAG 2.0: A Customizable Quick Reference
• Understanding WCAG 2.0
• Techniques for WCAG 2.0
• How to Update Your Web Site to WCAG 2.0
• Essential Components of Web Accessibility

These aspects are increasingly being highlighted in web project contracts and specifications - and system architects, designers, developers and testers need to know how to build compliant applications. It is important to understand that users won't just be using popular modern web browsers; all sorts of devices will be utilised. The information security shouldn't be less for anyone—regardless of their access method.

One aspect of WCAG 2.0 is maximising compatibility with current and future user agents, including assistive technologies. A related project from the Accessibility Interoperability Alliance (AIA) worth monitoring is concerning Common Keyboard Shortcuts for Accessible Technology (AT) Products Used with Web Browsers along with the Open Web Application Security Project (OWASP) Intrinsic Security Working Group's efforts on introducing more useful security into all web browsers.

Recent proposals from the Ministry of Justice in the government's response to the Data Sharing Review suggest the Information Commissioner will receive greater powers and charge more for data protection registration.

As a result of a consultation, the Ministry of Justice has proposed tougher powers for the Information Commissioner including:

• monetary penalties for deliberate or reckless loss of data
• after a warrant has been served, require the provision of information required to determine compliance with the Data Protection Act
• impose a deadline and location for the provision of information necessary to assess compliance.

The ability to determine Data Protection Act compliance could be difficult for many web enabled processes if there are insufficient controls, monitoring and reporting. I've already found the potential compliance issue is a consideration now for current and new web project specifications.

It is also suggested that the current flat rate notification fee is replaced by tiered a fee structure based on size of organisation (similar to the bands defined in the European Union's Recommendation 2003/361/EC regarding the SME definition) so that businesses with more than 250 employees or with a turnover greater than about £26 million will receive the highest charges.

You can read the full proposals in the response document The Information Commissioner's Inspection Powers and Funding Arrangements under the Data Protection Act 1998 and related press release.

There's a new resource for web application architects, developers and testers who want to find out more about the security properties of the most common web browsers.

A message was posted to the The Web Security Mailing List today highlighting the Browser Security Handbook. I've yet to digest all the information but it seems to be very comprehensive. The web browsers recently tested and reported on are:

• Microsoft Internet Explorer 6 & 7
• Mozilla Firefox 2 & 3
• Apple Safari 3
• Opera 9
• Google Chrome
• Android

The inclusion of test cases in the download is especially helpful. We should thank all the contributors for this excellent live document.