20 January 2012

Authenticity

Posts relating to the information security principle "Authenticity" are listed below.

20 January 2012

London Android Group

After attending the London Web Performance Testing Group on Wednesday evening, I went along to the London Android Group (londroid) at Skills Matter.

Photograph of attendees at the London Android User Group meeting at Skills Matter

Mixing Native and Web Technologies, Oh My included three presentations/demonstrations. Great stuff.

Dave Springgay spoke about his experiences at News International developing highly crafted news apps which provide high quality and high performance on native mobile operating systems. He explained their use of HTML5, Android WebView and Java bridging to use JavaScript to inject content (mainly JSON) directly into pre-built HTML templates which are customised for each device, and which can be updated without re-deploying the app.

Jonathan Anthony provided an overview of the advantages of building mobile applications as webapps, using PhoneGap, using Titanium, and finally as native apps. He explained the latter of course give the best performance, better graphics and access to all the hardware APIs (with geo-location and camera being the most popular) along with the ability to have an icon on the desktop, but come at a cost due to the higher rates for developers, and the need to develop for at least two operating systems (i.e Android and the other one). He thought that for many apps, a webapp should be considered, due to speed of development and the cross-platform capability making them perhaps a quarter of the price.

Finally, Doug Chisholm and Clinton Smith described the capabilities of appsplash to develop cross-platform applications using their custom development platform.

So that's the technologies presented, but jQuery Mobile and jQTouch were also mentioned. Plenty to keep tabs on.

Posted on: 20 January 2012 at 07:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 January 2012

Report on Dynamic Application Security Testing (DAST) Solutions

Gartner published its report Magic Quadrant for Dynamic Application Security Testing (DAST) at the end of December.

The cover from Gartner's 'Magic Quadrant for Dynamic Application Security Testing' by Neil MacDonald and Joseph Feiman

The report is currently available to download free of charge if you register on Veracode's website. But it looks like if your turnover is less than $500 million, or say it is, the sales folk may be less likely to bother you.

The report is a useful summary, but I don't think it does enough to highlight the need for DAST to be just one part of a mix of activities contributing to a secure software development lifecycle, and therefore more secure applications. There's plenty of activity out there combining developer training, secure coding guidelines, vulnerability management, web application firewall dynamic patching and static analysis techniques too.

Posted on: 10 January 2012 at 08:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

03 January 2012

AppSec EU 2012 To Be Held in Athens

Happy new year. Planning your diary already? Looking for the best European conference for information about application security?

Photograph of a public display board beneath a sign saying 'Information' - the web browser on screen is displaying a Firefox error message because it cannot connect to the requested information resource address

Europe's premier application security conference, AppSec EU, is being held in Athens, Greece, from 10th to 13th July 2012. As in Stockholm two years ago, this event has a research theme, but there will be plenty of practical information, advice and application security training.

In May I participated in the OWASP Greece chapter Training Day in Athens and was overwhelmed by the level of attendance from the enthusiastic and knowledgeable development community. I am sure the sponsorship opportunities and tickets will be snapped up quickly.

AppSec EU Research 2012 is being hosted by the Department of Informatics and Telecommunications of the University of Athens.

Posted on: 03 January 2012 at 08:15 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

30 December 2011

Maritime Sector Cyber Security

Another report from the European Network and Information Security Agency (ENISA) highlights deficiencies in the maritime sector.

Photograph of a ship's bow berthed in Florida

The study's report Cyber Security Aspects in the Maritime Sector discusses that while there is increasing knowledge concerning physical security and crew safety, maritime cyber security awareness is low to non-existent. The situation is made worse by fragmented responsibilities, lack of incident information, and missing legislation in this area.

A relatively quick read if you are active in the sector.

Posted on: 30 December 2011 at 22:04 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

27 December 2011

Guide to HTML5 Web Security

Further to my previous notes about HTML 5 security, a superb reference document was published earlier this month.

An extract from a page in Michael Schmidt's document HTML5 Web Security showing how HTML5 vulnerabilities and attacks are described and illustrated in diagrammatic form

Michael Schmidt (Compass Security) wrote his master's thesis about HTML5 security in May 2011 and has published an extract for everyone to access.

HTML5 Web Security describes issues, vulnerabilities, threat & attack scenarios and countermeasures across 80 pages including numerous well thought-out diagrams, and is backed up with detailed references and an appendix full of attack details.

The main sections are:

  • 2.2 Cross-origin resource sharing
  • 2.3 Web storage
  • 2.4 Offline web application
  • 2.5 Web messaging
  • 2.6 Custom scheme and content handlers
  • 2.7 Web sockets API
  • 2.8 Geolocation API
  • 2.9 Implicit relevant features of HTML5
    Web workers, new elements, attributes and CSS, Iframe sandboxing and server-sent events

If you are already developing HTML, or planning to, read this document as soon as possible and update your requirements documents, specifications, design documents, coding standards, and test plans to incorporate the knowledge.

The document would be worth buying if it were a book, but it has generously been made available publicly. Yes, I am still reading the document, and so far have only one very minor complaint — it would be good to have a content list. Maybe in version 1.1?

Posted on: 27 December 2011 at 09:07 hrs

Comments Comments (3) | Permalink | Send Send | Post to Twitter

06 December 2011

Registry of Cloud Computing Providers' Security Controls

This week, the Cloud Security Alliance has announced its new repository of security control self -assessments for cloud computing providers.

Part of the Security Response in the Context of CSA Cloud Control Matrix )CCM) security controls SA-03 through SA-04 for Microsoft's Office 365, published on the Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR)

The CSA Security, Trust and Assurance Registry (STAR) lists providers who have completed and submitted a Consensus Assessments Initiative Questionnaire (CAIQ) or Cloud Controls Matrix (CCM) response to indicate their compliance with CSA best practices.

Currently only two providers are listed, but more are in progress. This will be a very helpful resource for those seeking assurance about controls from suppliers, and potentially standardise the way cloud providers publish information about their security practices, simplifying procurement processes. If you are an IaaS, PaaS or SaaS provider, the existing submissions may help your own controls development or completion of an assessment.

There is more information in the detailed FAQ and LinkedIn forum.

Posted on: 06 December 2011 at 08:59 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

02 December 2011

UK Cyber Security Hub

Last week the UK government's Cabinet Office published its new cyber security strategy.

Sections form the UK's 'Cyber Security Strategy 2011 - Protecting and promoting the UK in a digital world' discussing the cyber security hub

The Cyber Security Strategy describes the government's commitment to this "tier 1" risk. In the objective to make the UK "more resilient to cyber attacks and better able to protect our interests in cyber space", I hope the "risk-based approach..." "...working in partnership" which includes "raising business awareness" includes helping organisations of all sorts acquire and develop software which is secure and fit-for-purpose.

In particular, I hope the Cyber Security Hub will be able to promote secure software development lifecycles.

Posted on: 02 December 2011 at 00:52 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

18 October 2011

HTML5 Security

OWASP has announced a new addition to the immensely helpful cheat sheet series.

This first version of the HTML Security Cheat Sheet includes guidance on:

  • Cross Origin Resource Sharing
  • Local Storage (a.k.a. Offline Storage, Web Storage)
  • WebDatabase
  • Web Workers
  • WebSockets
  • Geolocation
  • Use the sandbox attribute of an iframe for untrusted content
  • Web Messaging
  • XHR and DOM abuses
  • HTML5 Widgets
  • Progressive Enhancements and Graceful Degradation Risks

If you have anything to add, or suggest, please contact the people involved — Mark Roxbury, Krzysztof Kotowicz, Will Stranathan and Shreeraj Shah are the authors and primary editors.

For something in more depth, go to html5security and the related html5sec for an encyclopaedic reference source.

There is another more general presentation about using HTML5 WebSockets at London Web on Thursday evening this week (20th October), but be quick to register as there are already 175 people attending, and currently only 4 spaces left.

Posted on: 18 October 2011 at 13:30 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 October 2011

Example Secure Coding Guidelines

Undertaking training for developers and documenting secure coding guidelines are two of the earliest activities that should be undertaken in software security initiatives.

establish a concise and consistent approach to secure application development

It is good to see Mozilla has published its WebAppSec Secure Coding Guidelines.

These show that secure coding guidelines neither need to be long nor overly complex. And yes they have to be tailored to your own development practices and risks. Read, re-use and reinvent.

Posted on: 04 October 2011 at 07:38 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

30 September 2011

BSIMM 3 Released

Building Security In Maturity Model (BSIMM) version 3 (BSIMM3) was released on Tuesday by Cigital and Fortify.

An example scorecard in version 3 of the Building Security In Maturity Model (BSIMM)

Building Security In Maturity Model is an analysis of the results from a detailed surveying process about how companies build security into their software development processes. Its aim is to help all organisations understand, assess and plan software security initiatives. The findings identified are grouped into 12 practices across four domains called governance, intelligence, SSDL touchpoints and deployment in what is called the Software Security Framework. In these practices, a total of 109 activities are defined, spread across three tiers of complexity (levels 1 to 3) to give the appearance of a maturity model.

BSIMM3 includes data from 42 software security initiatives — 12 more than in BSIMM2. Although the data is primarily collected from organisations in the financial services, independent software vendor and technology sectors, other sectors are represented too. Many of the programmes are large, with the average number of developers being over 5,000 — but it ranges from just 10 to 30,000. No organisation survey does all 109 activities.

With the increase in source data, there has not been any significant change the the general findings, and the structure of domains, practices and activities has virtually not changed at all. The descriptions for most of the activities have been extended to clarify the meaning and provide further examples; in a small number of cases minor corrections have been made. But the total number of activities in unchanged, and their titles are the same. The following activities have been demoted from level 2 to level 1:

  • Strategy & Metrics (SM) 2.4 "Require security sign-off" is now SM 1.6
  • Attack Models (AM) 2.3 "Gather attack intelligence" is now AM 1.5
  • Security Testing (ST) 2.2 "Allow declarative security/security features to drive tests" is now ST 1.3
  • Penetration testing (PT) 2.1 "Use pen testing tools internally" is now PT 1.3

One activity has been promoted from level 1 to level 2:

  • SM 1.5 "Identify metrics and drive initiative budgets with them" is now SM 2.5

So, previous scoring under BSIMM2 will need to be re-calculated, but there is a one-to-one mapping, and the numbering of all other activities remains unchanged.

The new scorecard presentation format demonstrate how to do a comparison of your own initiatives at a glance, and since some of the data sources have now been assessed more than once, BSIMM3 provides some comparison of changes over time.

So, some useful information for organisation wanting to assess and build out software security initiatives. Also take a look at Building Security In, Microsoft SDL, Open SAMM.

Posted on: 30 September 2011 at 08:00 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Authenticity Security Principle : Web Security, Usability and Design
http://www.clerkendweller.com/Authenticity
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/Authenticity
Requested by 38.107.179.223 on Saturday, 4 February 2012 at 21:29 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2012 clerkendweller.com