Following the success of similar events in Latin America, a rolling tour of events with OWASP speakers will be occurring in European Countries, beginning with Cambridge this month.

This first event of the tour has been organised in conjunction with Anglia Ruskin University's Department of Computing and Technology for Monday 13 May 2013.

The agenda lists all the speakers:

• Adrian Winckles, OWASP Cambridge Chapter Leader & Senior Lecturer
• Ross Anderson, Cambridge University Computer Laboratory
• DI Stewart Garrick, Metropolitan Police ECrime Unit
• Justin Clarke, OWASP London Chapter Leader
• Eoin Keary, OWASP Board Member
• Steven van der Baan, OWASP Cambridge Chapter Leader
• ... and myself.

I will be speaking about application security vulnerability severity ranking and prioritisation. This will be of use if you have to create or consume vulnerability assessments and penetration test reports, or are involved in patch management or PCIDSS compliance.

Thank you to Fabio Cerullo and the OWASP team who made this tour happen.

The event runs from 11:00 to 17:15 hrs and is located in LAB 002, Lord Ashcroft Building, Anglia Ruskin University, Cambridge. It is free to attend, but advance registration is required.

Last week the UK's Department for Business Innovation & Skills published the 2013 Information Security Breaches Survey, created in conjunction with PwC.

The report presents the results of the survey and breaks the findings down for larger (>250 staff), medium and smaller (<50 staff) organisations. The term "cyber" appears 15 times and "APT" only once, so is generally hyperbole-free.

The most interesting data points for me are:

• 18% of "worst breaches" related to websites and internet gateways, and 4% to breach of laws/regulations
• For all breaches, operation disruption typically lasts a week, with 2-4weeks FTE effort responding to the incident, and a quarter of incidents leading to lost business
• Reputation losses were estimated to be between £10,000 and £100,000.

The report is available to download in full free of charge without registration.

I have just had time to catch up on my attendance and participation at Security B-Sides London 2013.

This community-led event was held at the town hall of the Royal Borough of Kensington and Chelsea on Wednesday 24th April, and was supported by a large number of speakers, educators, volunteers and sponsors. It was an extremely well organised, and useful, day.

Following the very well attended welcome and introduction from the B-Sides London crew, I went to an immensely valuable and engaging presentation by David Rook (aka Security Ninja) on how he introduced and developed an application security programme at his employer Realex Payments. He has got to the point where customers are approaching his company to act as a payment services provider due only to their knowledge of Security Ninja, and so the marketing department kindly designed cartoon-style presentation slides (like the one illustrated above). They also had these printed as booklets to hand-out to those attending the talk at B-Sides London. David described what was done, how it was achieved, and things he would approach differently in hindsight. I won't spoil the plot for you as you will be able to read the booklet yourselves (keep an eye open for a blog post (now available).

After this, I went down to the new Rookie Track where new presenters had been given support through mentoring to give 15-minute presentations. Firstly I listened to Artjom Vassiljev describe how he has built software security testing checks into a continuous integration process with Jenkins.

Following a quick coffee break and catch up with some friends & acquaintances, I returned to the Rookie Track and listened to Diarmaid McManus describe a new Eclipse plugin called ESP he has been working on to help integrate code review checks into developer's coding tools.

Ksenia Dmitrieva provided an introduction to HTML5 risks and gave explanations and examples of common attacks. She also explained the preventative measures which should be used to protect against these issues.

Post lunch, I tracked down Dinis Cruz and we set up our workshop on using OWASP O2 to visualise OWASP AppSensor behaviour. I introduced the concept of application-specific attack detection and response, and described how the ideas might be retrofitted relatively simply to an existing web application such as the bulletin board software phpBB. A review of phpBB's inherent capabilities and logging provide a useful hook for detection points, and responses can include adding users to phpBB's list of "banned IPs" and blocking IPs at the operating system level. Dinis continued with a live demo of the AppSensor demo application, created by Michael Coates, and then he went on to show how AppSensor's new web services Java code can be called directly from within a .Net application TeamMentor.It was good to bounce ideas off the workshop participants and get their thoughts and suggestions on the practicalities of implementing AppSensor-like capabilities.

Finally I saw Gavin Holt talking about "NoSQL & Big Data - A Way to Lose Even More Stuff" in which he described the common weaknesses in using NoSQL and attacks that attempt to access such systems and their data. I really liked the 15minute format on the Rookie Track and all three speakers I heard were really good.

Overall, an excellent day. Many thanks to the very professional B-Sides London team in particular for making sure it all happened.

Update 30th April 2013: Link to Security Ninja's slides added. Ksenia Dmitrieva's talk added.

Next week Dinis Cruz and I will be running an AppSensor workshop at Security B-Sides London 2013.

We will be demonstrating and helping attendees of the workshop specify, define and implement application-specific attack detection and real-time response. Our agenda is:

• OWASP AppSensor concept
• Attack detection exercise
• Real world implementation
• Alternative deployment models

We'll be using paper-based materials and real code demonstrations (in .Net, Java and PHP), so just bring your brains along. The workshop is being run from 14:00 to 15:30 hrs on Wednesday April 24th 2013 and can be booked on arrival at the event. It is available on a first come, first served basis. Security B-Sides London is a community-driven free event but requires registration, but due to overwhelming demand there is a waiting list.

We hope to see you there.

The fifth semi-annual "State of Software Security Report - The Intractable Problem of Insecure Software" has been issued by Veracode (see my previous comments on volumes 1, 2, 3 and 4).

In Volume 5, there is extended analysis of the vulnerability trends, an analysis of issues by five common programming language (Java, .NET, C/C++, PHP and ColdFusion), and there is a more detailed description of the data broken down by three types of application: mobile, web and non-web.

The analysis pf mobile application tested includes a table showing the distribution of types of vulnerability for Android, iOSS and Java ME highlighting how these significantly affect the types of flaws found. The data on mobile apps remains a very small proportion of the total data set. Appendix A includes further detail on the data set, and this reveals that 78% of the applications were internally developed, 14% commercial, 7% open source and just 1% outsourced.

Three regional OWASP application security conferences are planned for later this year.

OWASP runs the most comprehensive application security conferences with a very high standard of training courses, speakers and delegates to network with. The next three conferences are:

• August 20-23: AppSec EU Research 2013, Hamburg, Germany
• October 1-4: AppSec Latam 2013, Lima, Peru
• November 18-21: AppSec USA 2013, New York, USA

The calls for training and papers are open for AppSec EU and AppSec USA. I hope to attend both of these. AppSec Asia will occur again in spring 2014.

At the end of January, the Market Research Society (MRS) launched an initiative called Fair Data.

Existing MRS Company Partners (who are already subject to the MRS Code of Conduct), and others who apply and pass an assessment by the MRS of their "policies and procedures", must firstly adhere to the 10 principles and secondly must "use the Fair Data mark in all relevant dealings with customers and respondents". The 10 principles relate to the following topics:

1. Consent
2. Purpose
3. Access
4. Security
5. Respect
6. Sensitive personal data
7. Supply chain
8. Ethics
9. Staff training
10. Default to not using personal data unless there is adherence to the above nine principles

So the scheme does not include all eight data protection principles but some extra business process requirements. Perhaps this is because the trust mark has been designed "to be used internationally".

The scheme seems to have some initial endorsements, but these type of things won't work unless there is a large adoption so that consumers and others recognise the mark, and that is backed up by verifiable evidence that it makes a difference. I am not sure if this "kite mark" or "trust seal" is the one to make everyone confident about use of their personal data.

Selecting and deploying a web application firewall (WAF) needs to be undertaken using robust due diligence procurement/acquisition processes.

A recent report (discussion) compares three different WAFs — two cloud-based systems and one that is integrated with web server software. The report describes testing SQL injection, cross-site scripting and local/remote file inclusion. I don't think the exact findings are of direct relevance to most real-world deployed applications, but the conclusions to be drawn are:

• Read this first
• Consider the rate of both false negatives and false positives
• Tune the WAF to your own application(s)
• Work your WAF - do not turn it on and forget about it
• Do not rely on a WAF

So, in summary, try before you buy.

See also Waffish Behaviour in 2012.

There was a high attendance at OWASP NL's chapter meeting at Radboud Universiteit Nijmegen.

Jim Manico was unable to present due to illness but Georgia Weidman, who was speaking at Blackhat Europe 2013, stepped in to present the Smartphone Pentesting Framework (SPF). SPF is the result of a DARPA Cyber Fast Track project, and provides tools and a methodology for penetration testers and security teams to gather information, assess and exploit smart phone devices in the workplace.

We were well looked after at the event. The attendees asked very relevant questions, and I hope my animated presentation showing how to play the Cornucopia card game explained the rules adequately. Thanks to Martin for driving us from Amsterdam to Nijmegen and back.

The presentations are available on the OWASP website.

Still using Windows XP in your production environment? Time to change.

In just over 12month on 8th April 2014, Windows XP will no longer have any official support from Microsoft. While many of this blog's readers will be deploying to server environments, and thus not using XP, many applications are also hosted on user's workstations, in remote locations and even some process control systems. Windows XP is still very common in point of sale (PoS) equipment and public kiosks, including those used to buy tickets. After April 8th Microsoft will cease to release security and systems updates.

If you haven't already done so, and where possible, make sure you have the latest service pack (Windows XP SP3) installed, and consider plans about how to migrate away from Windows XP. If you are under a regulatory or contractual obligation to maintain host software up-to-date and fully patched, this requirement might have special priority. A year is not long to make plans to change a large number of machines.