21 May 2013

Authenticity

Posts relating to the information security principle "Authenticity" are listed below.

21 May 2013

OWASP EU Tour 2013 in London on June 3rd

As part of the OWASP EU Tour 2013, there will be a special event in London next month, along the lines of the recent ones in Cambridge and Leicester.

Photograph of London at dusk with the river Thames in the foreground and St Paul's cathedral lit up

The one day conference is being held in central London on Monday 3rd of June 2013 at the Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY. The nearest tube station is Holborn. It is free to attend and is open to all, but registration is required as numbers are limited to 100.

The agenda is still being finalised, but OWASP Ireland chapter leader Fabio Cerullo is presenting PCIDSS for developers, OWASP Cambridge chapter leader Steven van der Baan will be talking about simple steps for secure coding, and OWASP London chapter leader Justin Clarke will be speaking about securing development with PMD, the popular Java code scanning tool. I will be introducing and demonstrating OWASP Cornucopia. A very developer-orientated agenda so far.

The EU Tour continues to OWASP chapters in Barcelona, Bucharest, Belgium, Denmark, Dublin, Lisbon, Netherlands and Rome. Other locations will be added in due course.

Posted on: 21 May 2013 at 19:59 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 May 2013

OWASP European Tour Kick-Off in Cambridge

Following the success of similar events in Latin America, a rolling tour of events with OWASP speakers will be occurring in European Countries, beginning with Cambridge this month.

Banner image from the OWASP European Tour flyer for the application security event in Cambridge, UK on 13th May 2013

This first event of the tour has been organised in conjunction with Anglia Ruskin University's Department of Computing and Technology for Monday 13 May 2013.

The agenda lists all the speakers:

I will be speaking about application security vulnerability severity ranking and prioritisation. This will be of use if you have to create or consume vulnerability assessments and penetration test reports, or are involved in patch management or PCIDSS compliance.

Thank you to Fabio Cerullo and the OWASP team who made this tour happen.

The event runs from 11:00 to 17:15 hrs and is located in LAB 002, Lord Ashcroft Building, Anglia Ruskin University, Cambridge. It is free to attend, but advance registration is required.

Posted on: 04 May 2013 at 07:36 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

19 April 2013

AppSensor at Security B-Sides London

Next week Dinis Cruz and I will be running an AppSensor workshop at Security B-Sides London 2013.

Photograph of a clock at the prime meridian in Greenwich looking towards central London and the banks at Canary Wharf

We will be demonstrating and helping attendees of the workshop specify, define and implement application-specific attack detection and real-time response. Our agenda is:

  • OWASP AppSensor concept
  • Attack detection exercise
  • Real world implementation
  • Alternative deployment models

We'll be using paper-based materials and real code demonstrations (in .Net, Java and PHP), so just bring your brains along. The workshop is being run from 14:00 to 15:30 hrs on Wednesday April 24th 2013 and can be booked on arrival at the event. It is available on a first come, first served basis. Security B-Sides London is a community-driven free event but requires registration, but due to overwhelming demand there is a waiting list.

We hope to see you there.

Posted on: 19 April 2013 at 08:41 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

12 April 2013

State of Software Security Report Volume 5

The fifth semi-annual "State of Software Security Report - The Intractable Problem of Insecure Software" has been issued by Veracode (see my previous comments on volumes 1, 2, 3 and 4).

Partial view of the cover sheet from Volume 5 of Veracode's 'State of Software Security Report - The Intractable Problem of Insecure Software' report

In Volume 5, there is extended analysis of the vulnerability trends, an analysis of issues by five common programming language (Java, .NET, C/C++, PHP and ColdFusion), and there is a more detailed description of the data broken down by three types of application: mobile, web and non-web.

The analysis pf mobile application tested includes a table showing the distribution of types of vulnerability for Android, iOSS and Java ME highlighting how these significantly affect the types of flaws found. The data on mobile apps remains a very small proportion of the total data set. Appendix A includes further detail on the data set, and this reveals that 78% of the applications were internally developed, 14% commercial, 7% open source and just 1% outsourced.

Posted on: 12 April 2013 at 13:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

09 April 2013

Upcoming OWASP Conferences

Three regional OWASP application security conferences are planned for later this year.

Photograph of the top-level structure of the London Shard

OWASP runs the most comprehensive application security conferences with a very high standard of training courses, speakers and delegates to network with. The next three conferences are:

  • August 20-23: AppSec EU Research 2013, Hamburg, Germany
  • October 1-4: AppSec Latam 2013, Lima, Peru
  • November 18-21: AppSec USA 2013, New York, USA

The calls for training and papers are open for AppSec EU and AppSec USA. I hope to attend both of these. AppSec Asia will occur again in spring 2014.

Posted on: 09 April 2013 at 08:23 hrs

Comments Comments (1) | Permalink | Send Send | Post to Twitter

15 March 2013

Presentations at OWASP Netherlands

There was a high attendance at OWASP NL's chapter meeting at Radboud Universiteit Nijmegen.

Photograph of the event signage for OWASP Netherlands at Radboud Universiteit Nijmegen on 13th March 2013

Jim Manico was unable to present due to illness but Georgia Weidman, who was speaking at Blackhat Europe 2013, stepped in to present the Smartphone Pentesting Framework (SPF). SPF is the result of a DARPA Cyber Fast Track project, and provides tools and a methodology for penetration testers and security teams to gather information, assess and exploit smart phone devices in the workplace.

We were well looked after at the event. The attendees asked very relevant questions, and I hope my animated presentation showing how to play the Cornucopia card game explained the rules adequately. Thanks to Martin for driving us from Amsterdam to Nijmegen and back.

The presentations are available on the OWASP website.

Posted on: 15 March 2013 at 06:23 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

12 March 2013

Windows XP - Going, Going..

Still using Windows XP in your production environment? Time to change.

Photograph of a public payment kiosk displaying a Windows XP error message

In just over 12month on 8th April 2014, Windows XP will no longer have any official support from Microsoft. While many of this blog's readers will be deploying to server environments, and thus not using XP, many applications are also hosted on user's workstations, in remote locations and even some process control systems. Windows XP is still very common in point of sale (PoS) equipment and public kiosks, including those used to buy tickets. After April 8th Microsoft will cease to release security and systems updates.

If you haven't already done so, and where possible, make sure you have the latest service pack (Windows XP SP3) installed, and consider plans about how to migrate away from Windows XP. If you are under a regulatory or contractual obligation to maintain host software up-to-date and fully patched, this requirement might have special priority. A year is not long to make plans to change a large number of machines.

Posted on: 12 March 2013 at 17:41 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

05 March 2013

Direct.uk Revisited

Do you remember Nominet's consultation regarding a new .uk domain name?

Over the coming months, this work will explore... Measures to improve security across the whole of the .uk namespace. This would include increased focus on encouraging the adoption of DNSSEC.

Nominet has produced an comprehensive summary of the consultation, a response analysis and an update which identifies the next steps being taken. There is much useful commentary on the proposed security aspects (Part II of the summary document, pp18-38) including:

  • Concern that enhanced security requirements for direct.uk would devalue existing .co.uk and .org.uk domain names
  • General consensus that making DNSSEC mandatory for new domains
  • Security features not comprehensive enough or rigorous enough
  • Malware monitoring is the responsibility of the registrant, not the registry
  • Malware monitoring may not be effective
  • The proposed trustmark could be misleading and be a large burden on registrars and registrants
  • Consider applying the proposed security features to existing third level domain names

The current proposal will not proceed and Nominet are reviewing alternatives. It notes there was widespread support for DNSSEC, but concern about the use of a trustmark, and a need to address security more widely than just a subset of new domain names.

Posted on: 05 March 2013 at 07:12 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

26 February 2013

OWASP NL 13.03.13

I will be travelling to Nijmegen on Wednesday 13th March having been invited to speak at the OWASP Netherlands local chapter.

Photograph of three airport departure boards with one displaying the blue screen of death in contrast to the flight departures listed on the other two

At the meeting in the Radboud Universiteit Nijmegen, I will present two brand new talks.

  • "Record It!" — Do you know security event information should be recorded by an application? The presentation will outline which event properties are useful, what should be avoided and how logging can be implemented. In this short presentation, the benefits of good application logging will also be described. The content is drawn from the OWASP (Application Security) Logging Cheat Sheet
  • "OWASP Cornucopia" — Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. The PCI DSS referenced OWASP Cornucopia - Ecommerce Web Application Edition will be presented and used to demonstrate how it can help developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide.

OWASP board member Jim Manico is also presenting on the subject of "Access Control Design Best Practices". Jim is a great speaker and I am looking forward to this.

The venue is the Beta-faculty, Huygensgebouw, at Heyendaalseweg 135, Nijmegen, Parkeergarage P11. Registration and pizza will occur from 18:30 hrs until 19:15 hrs when my first talk commences. The presentations will end at 21:00 hrs followed by a period for further networking. Registration is free but necessary.

Posted on: 26 February 2013 at 10:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

19 February 2013

Application Security Programmes and Practices

The SANS Analyst Program has published a white paper by Jim Bird and Frank Kim.

Partial view of a chart from the SANS Analyst Programme white paper 'ANS Survey on Application Security Programs and Practices' showing the frequency of testing business-critical applications

SANS Survey on Application Security Programs and Practices describes the results of a sponsored survey of 700 employees with responsibilities for security, management and software development. The aims of the survey were to identify the drivers for application security programs, the greatest risks, how resources are prioritised, what practices are being undertaken, which tools and services are used, programme challenges, and the maturity and effectiveness of the programmes.

Similar to the 2011 report from Forrester Research, the most import driver for application security programmes (secure software development life cycles) are regulatory/compliance requirements with Payment Card Industry (PCI), US Sarbanes–Oxley Act (SOX) and the US Health Insurance Portability and Accountability Act (HIPPAA) being the most common.

The comprehensiveness of application security programmes is reviewed for internally-developed, outsourced application development, and commercial off the shelf (COTS) applications. Apart from policies and vulnerability awareness, and risk assessments/due diligence of third parties, the survey primarily reports on technological controls and practices. These are static analysis code review, dynamic analysis (e.g. vulnerability scanning), manual penetration testing, and use of web application firewalls (WAFs) and using WAFs for virtual patching.

There is no mention of other practices that can contribute such as defining security requirements, producing guidance materials, training, design and architecture reviews, secure deployment (see more in the Software Assurance Maturity Model, BITS Software Assurance Framework, BSIMM, etc).

See also the related Application Security Gap Study and Protection Against Business Logic Attacks.

Posted on: 19 February 2013 at 09:48 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Authenticity Security Principle : Web Security, Usability and Design
http://www.clerkendweller.com/Authenticity
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/Authenticity
Requested by 184.72.91.94 on Thursday, 23 May 2013 at 17:25 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2013 clerkendweller.com