Last night I had the pleasure of attending the Nominet Best Practice Challenge Awards 2009 at Banqueting House in Whitehall, London.

In the Best Security Initiative Award, OWASP Board member Dinis Cruz, OWASP London chapter leader Justin Clarke and I were representing The Open Web Application Security Project. Our entry for the 2009 Best Practice Challenge had been shortlisted in June.

It was interesting to see the innovative work being undertaken across the UK in security, access, diversity and openness. The Yorkshire Business Crime Reduction Centre (BCRC) won the Best Security Initiative Award. The BCRC is supported by South Yorkshire Police and the Regional Development Agency, and undertakes e-commerce and physical security assessments for small and medium-sized enterprises (SMEs) in the area. Their recent E-Crime Guide is a very useful introduction to the issues.

It is good to see an increasing awareness of online and e-commerce security, and this looks likely to continue with the recent announcement by the Prime Minister of new initiatives to secure the UK from cyber threats, following publication of the Digital Britain report last month.

Old, backup, "secret" and test pages, scripts and other files shouldn't be left on live web sites. The Visit Britain web site should be a showcase for Britain, but I was trying to find a particular page and looked at their 97-page long full sitemap.

Oops, the 4th, 6th, 7th and 8th links were all test or old pages. I couldn't believe this prominent web site didn't have procedures in place to manage draft and test content, or even that they were making such pages live on their web site. The result test-script worried me most but fortunately all four of these returned were not found when clicked.

I wonder what the page "Delete" does though?

People use search engines such as Google to find hidden information on website (aka Google Hacking), but it's uncommon for web sites to clearly list it on their own site map. Rather than ploughing my way through the impenetrable site map, I switched to Google to see what it had found using the search query "site:www.visitbritain.co.uk test". Skipping the results about cricket test matches and testing your handicap, revealed more links to more test pages:

My favourite must be the page with the parent page labelled "Food & Drink - to be deleted EVENTUALLY" in the breadcrumb trail:

These types of practices don't instill any confidence in the management of the web site. Old, backup and test files may contain sensitive data, allow access to the application or functions otherwise restricted, or contain faults that have been fixed in the current version. And, if you actually list them, it looks terrible! Web sites and web applications, don't just look after themselves—you need clear policies, a well-designed specification, a robust development contract, good management, skilled staff, verification processes and be willing to learn from good practices elsewhere.

Today's message: read Testing for Old, Backup and Unreferenced Files.

I was surprised to see the latest advice Stop Password Masking from Jakob Nielsen.

Jakob Nielsen's has raised many usability topics in his Alertbox but he is not always correct. Although I used to read his column with an open, somewhat sceptical, mind I gave up some time ago*.

No, password masking isn't just some legacy design artefact. Like other design choices relating to user identification and authentication, these have a significant impact on user trust and data privacy, confidentiality and integrity. It is wrong to suggest that masking should be removed by default. By all means inform users of the risks and let them choose to display the characters being typed, but don't have this status set by default. More-and-more web sites are being accessed away from home, and being overseen by other people or surveillance equipment is commonplace almost everywhere.

On e-commerce sites, the need to log in can often be removed completely, or made non-compulsory. Too often security controls are applied for other reasons, such as to generate information for sales and marketing reports, rather than to ease the purchasing process. For more critical data, the use of authentication mechanisms other than static passwords should be considered.

* I stopped reading Alertbox after Jakob Nielsen became very defensive about his training material only being available on DVD and not VHS tape, as many people had requested. His argument was that DVD players were so cheap, people should upgrade. Yet at the time, he was promoting the idea that web sites would render in all browsers—including old legacy ones.

The Web Site Security Maturity Model gives an at-a-glance indicator, or litmus test, of an organisation's web site security posture!

Organisations tend to fit into one of five categories, which I'll light-heartedly call the Web Site Security Maturity Model. This is comprised of five maturity levels, and it's very easy to determine your own organisation's level. Start at the lowest (level 1) and work up the maturity model—stop as soon as you agree with the statement:

1: Use FTP to update the web site

2: Worried about web site security

3: Have undertaken a web site security audit or review

4: Security built into web site development and operation processes

5: Don't have a web site

So on this quick guide, the safest option is not to have a web site. Many small and medium-sized organisations are operating at maturity level 1.

But seriously, if you want to review and improve the security of your web site and other software development processes properly, the Software Assurance Maturity Model is the best starting point.

We all have to deal with too many email messages. Sometimes you opt in for something, or it's a requirements for access to some service, and some time later you want to opt out again.

Well, one email too many from Haymarket Publishing (I can't really remember choosing to opt in for 3Dconferences anyway) and I copied the unsubscribe hyperlink (like http://ecm.hbpl.co.uk/public/unsubscribe.jsp but with some additional parameter values) into a secured browser to visit the unsubscribe form:

But the email text field was not activated—I could not tab to or click on the field to enter my email address. The field had the disabled attribute set:

Usability failure. Accessibility failure. Security challenge. Well, not so much a challenge as a minor annoyance.

Don't Haymarket Media Group check their response forms? Cynical people might suggest they don't want people to opt out from their mailings. However, allowing user to unsubscribe from marketing emails is not an optional obligation. The The Privacy and Electronic Communications (EC Directive) Regulations 2003 states:

Oh, and where are the privacy policy and company contact details?

Compliance failure.

Many websites are updated using File Transfer Protocol (FTP). Don't do it.

A discussion thread How Do You Store FTP Login Information For Your Clients? highlighted what common practices are, but almost entirely missed the issues of transfer of login credentials over unencrypted channels, privileged access to the whole of the server, account sharing, password and user management.

It's no surprise that some of the most serious hacks are suspected of being undertaken using compromised FTP accounts.

FTP is not an option. Ask your hosting company or systems staff to disable FTP services and block all traffic to/from your web servers on TCP ports 20 and 21, at your network firewall.

Privacy Notices Codes of Practice is being launched today by Richard Thomas, the Information Commissioner.

Apart from the minor concern that Richard Thomas had included his signature in the document, the draft looked like it would be a very useful code of practice for most small-to-medium organisations including local government and professional organisations. One issue I raised at the time was the potential for aggregation of data to have more meaning than the individual parts, and that this should be considered in privacy notices so that users are aware of any potential problems. Some of the web form examples included didn't necessarily include other (non-privacy related) good practice such as for web accessibility and web usability. There was also some lack of clarity over the use of the word "security", e.g. "Security and Privacy Statement", which I hope has been corrected.

The explanation of fairness, and good and bad examples paper and web form layouts in the draft from the Information Commissioner's Office (ICO) were particularly helpful.

I'm looking forward to seeing the final version.

Update 10:30 hrs 12th June 2009: The ICO has published a press release and the final Privacy Notices Code of Practice.

Update 14:20 hrs 12th June 2009: The final version has incorporated over 60 suggestions as a result of the public consultation, including the issues of aggregation and use of the word "security". Watch out for legislation relating to Assessment Notices and dealing with failures to act on Assessment Notices.

The news that a the UK hosting company VAServ lost 100,000 web sites all at once is devastating for the organisations involved. It appears that many cannot be recovered and a considerable number do not have recent backups.

From the temporary status page dated 10th June:

The event was widely reported:

• Webhost Hack Wipes Out Data for 100,000 Sites
• Webhost Denies Poor Passwords Led to Catastrophic Hack
• U.K. Web Hoster, Customers Scramble After Attack Deletes 100,000 Sites

Particularly sobering is the news that the CEO of LxLabs, implicated as the developers of the software that was hacked, has committed suicide:

• LxLabs boss found hanged after vuln[erability] wipes websites
• Web Hacking Incident Database (WHID) 2009-45: Outcome: Death

Even if you don't have a formal disaster recovery plan, at least make sure you have backups of all your site code, database and other data.

The new British Standard 10012:2009, Data Protection - Specification for a Personal Information Management System, has been published.

British Standard 10012:2009 was the subject of an earlier draft for public comment (DPC) and I worked with the OWASP Industry Committee on a response.

BS 10012 is not an alternative to the excellent guidance for organisations now produced by the UK's Information Commissioner's Office, but instead is a specification for a personal information management system (PIMS). A PIMS is a governance process for all types of personal information within a company but could also be used for other types of sensitive data. BSI's slant on this is that a PIMS, and therefore BS 10012, could help maintain and improve compliance with the Data Protection Act (DPA) 1998.

A good start and one to watch.

On Tuesday I attended an e-commerce insurance book launch by the Insurance Institute of London in the Old Library at Lloyd's of London.

Insurance Aspects of E-Commerce was drafted by members of the Insurance Institute of London (IIL) Research Study Group 256. It's worth pointing out that "e-commerce" here refers to doing business electronically, rather than the narrower concept of online payments i.e. payment by debit and credit cards. The publication has chapters about:

• the effect of IT on the London insurance markets
• brokers' views on e-risks and e-trading initiatives
• security of e-commerce
• experience in underwriting e-risk insurance
• online third party risks
• first party risks
• regulation of online insurance
• the effects of the Electronic Commerce (EC Directive) Regulations 2002
• review of the current London (i.e. UK) market.

So it not only explores the issues and challenges to underwriters of e-commerce insurance (sometimes also referred to as cyber liability, internet liability insurance, online insurance or e-trading insurance), but also the effect of IT on insurance (e.g. streamlining, standardisation and e-trading), the regulatory background, issues of e-trading for insurers and a thorough, yet jargon-free, explanation of the information security issues. The latter correctly highlights that e-commerce security is not just related to technology—it's a combination of technology, people and culture.

The e-risk factors for businesses seeking e-commerce insurance are described and include the organisation's activities, locations, turnover, number of staff and the scale of its online activities such as direct revenue and traffic (e.g. web site visitors numbers). Increasingly the organisation's risk management framework and disaster recovery plans are a consideration in whether insurance can be obtained and what the premium is.

The publication is worth reading by anyone responsible for a transactional web site—regardless if they are seeking any form of cyber insurance—they have ownership, marketing, compliance, governance or information system responsibilities. Perhaps only the 25 pages of Chapter 7 concerning regulation of online insurance would not be of interest to non-insurance readers.

The 170-page A5 book is available from the IIL for £59+postage, with a discount for IIL and Chartered Insurance Institute (CII) members. ISBN 978-0-900493-88-1.