I have posted a new message to the Software Assurance Maturity Model (SAMM) blog regarding scorecard charts.

Like the previously created roadmaps, the scorecard charts use a transformation from an XML file to create an SVG image. They illustrate a team, project or organisation's maturity level, scored against SAMM, at a single point in time (the scorecard charts in the SAMM document compare scores at two points in time).

The XML template, schema and transformation files are available to download without charge or registration.

Summer must be the time to publish consultations before everyone goes away on holiday. the European Commission (how the EU works) has published a consultation regarding information risk assessment and breach notification.

The public consultation briefing describes how the European Commission is seeking to adopt a joint strategy with the High Representative of the Union for Foreign Affairs and Security Policy, that will ensure a secure and trustworthy digital environment, while protecting fundamental rights and EU core values. It is considering three approaches:

• Voluntary cooperation and information exchange between member states, the public and private sectors as happens currently
• Taking up minimum capabilities at a national level and promote a more structured approach to cooperation and information exchange
• Legislation to define minimum network and information security (NIS) capabilities for member states, a dedicated network for cooperation and information exchange, and most interestingly requirements for the private sector to adopt "NIS enhancing actions"

Within the last option, the Commission is considering a requirement to adopt risk management practices and to report security breaches to networks and information systems "that are critical to the provision of key economic and societal services (e.g. finance, energy, transport and health) and to the functioning of the Internet (e.g. e-commerce, social networking)".

The Commission has prepared a response form (web form, PDF) that asks a series of wide-ranging questions of governments, businesses and citizens, and there is scope for long answers and for submitting additional documents. The responses will be used to identify strategic actions and contribute to its impact assessment of the proposals. If your trade organisation or professional association is not planning a response, chase them up now.

The consultation runs until mid October 2012 (the 12th or 15th depending upon which document you believe).

Following recent work by on of Nominet's issue groups, a consultation has been published on the current policy that provides registrants with a 90 day expiry period in which to rectify a mistaken non-renewal.

The Domain Expiry Policy Consultation describes the current recommendations which are the result of feedback from an initial version in February. The Domain Expiry Policy Issue Group has asked for feedback to be sent by email to policy@nominet.org.uk by 3 September 2012. Feedback may be published anonymously.

Nominet has provided some statistical data on .UK renewals.

The week after next OWASP AppSec EU begins in Athens where I am speaking. During my presentation I will discuss the newly mandatory requirement 6.2 in PCI DSS relating to ranking of vulnerabilities, with special emphasis on ranking the severity of vulnerabilities in software applications.

In Tricolour Alphanumerical Spaghetti I will also describe alternative ways of meeting PCI DSS v2.0 Requirement 6.2 and which is a mandatory requirement from 30th June tomorrow, previously just being considered a best practice. I will discuss risk ranking schemes and how to develop a method for evaluating vulnerabilities and assigning a risk rating relevant to your own specific environment and business needs.

PCI DSS requirement 6.2 influences other requirements where the prioritisation of vulnerabilities are referenced:

• 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
• 6.5.6 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following: ... All "High" vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.2).
• 10.4 Using time synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
• 11.2.1 Perform quarterly internal vulnerability scans.
• 11.2.3 Perform internal and external scans after any significant change.

So, I am hoping it will be of use to those with PCI DSS obligations, as well as to organisations who simply want to know what the severity rating of a vulnerability, flaw, fault or weakness means. The presentation is being given at 15:20 hrs on Thursday 12th in the "Builders" track.

Immediately prior to the conference there are training courses. There are still some places left on my course Application Attack Detection & Response — A Hands-on Planning Workshop being held on Tuesday 10th July. This will be a highly interactive day with generous learning opportunities. Last time we did the course, the participants really enjoyed it and gave great feedback.

If you are going for the conference, why not take the opportunity to receive some training. On the next day, Wednesday, you could also register for the training course Elite Web Defense — How to Build Robust and Secure Web Applications being run by the excellent Jim Manico and Eoin Keary. Register for the training and conference here.

The European Commission has begun a consultation on procedures for notifying and acting on illegal content hosted by online intermediaries.

A Clean and Open Internet: Public Consultation on Procedures for Notifying and Acting on Illegal Content Hosted by Online Intermediaries asks for the views of citizens, organisations and public authorities about the exemptions for liability of service providers for online content under the E-Commerce Directive (implemented in the UK as the E-Commerce Regulations). The consultation is seeking views concerning four aspects:

• Notice and Action procedures
• Notifying illegal content to hosting service providers
• Action against illegal content by hosting service providers
• The role of the EU in notice-and-action procedures

There is a thorough briefing of the issues on Out-Law.com.

Responses can be submitted via an online form (the full form can be viewed in advance by downloading it as a PDF. The consultation runs until 5th September 2012.

Last month Veracode, who publish the State of Software Security Report posted an infographic on their blog highlighting cyber security risks in publicly listed US companies.

Cybersecurity Risks in Public Companies Infographic draws together data from the Verizon Data Breach Investigations Report 2012, the regularly updated Web Hacking Incidents Database and Veracode's own reports.

Quite a useful pictorial if you want to provide a snapshot of some of the key issues.

The Information Commissioner's Office (ICO) has updated its guidance relating to the use of tracking technologies under changes to the UK's Privacy and Electronic Communications Regulations (PECR) which came into force last year, but which began to be enforced last saturday, 26th May 2012.

Version 3 is an update to the version issued last December, and provides further information on "implied consent". The guidance is accompanied by a blog posting and video presentation.

Last month I discussed application logging from an implementation viewpoint. Rafal Los (Wh1t3Rabbit) has published a helpful series of posts on his Following the White Rabbit blog regarding the drivers, motivation and strategic considerations when undertaking application logging.

The four posts are:

• Logging: Opening Pandora's Box - Part 1 (Anxiety)
• Logging: Opening Pandora's Box - Part 2 (Elation)
• Logging: Opening Pandora's Box - Part 3 (Paralysis)
• Logging: Opening Pandora's Box - Part 4 (Awareness)

My own implementation notes are written up in the OWASP Application [Security] Logging Cheat Sheet.

The UK's Information Commissioner's Office (ICO) publishes details of its prosecutions, monetary penalties, undertakings and enforcement notices.

This week, two additional undertakings were published:

• Brecon Beacons National Park Authority for disclosure of personal data via its web site in two separate cases (undertaking, 18th April 2012)
• Toshiba Information Systems UK Ltd for unrestricted access to the personal data of 20 customers on its web site over a two-month period (undertaking, 17th April 2012)

The Toshiba incident is interesting because it specifically mentions lack of access control and the weakness of insecure direct object references. There's a good write-up about the Toshiba issue on the Web Application Security - From the Start blog.

The other most recent ICO actions relating to web sites (rather than paper, laptops, USB devices, email, fax, etc) were:

• Durham University's disclosure of personal data via its web site (undertaking, 1st March 2012)
• Dumfries and Galloway Council's disclosure of employee personal data online (undertaking, 17th October 2011)
• Child Exploitation Online Protection Centre (CEOP) and the Serious Organised Crime Agency (SOCA) for lack of encryption in transit of extremely sensitive data when using a web form (undertaking, 15th September 2011)
• Lush Cosmetics personal data and cardholder data loss via its ecommerce web site (undertaking, 9th August 2011)
• Andrew Jonathan Crossley/ACS Law loss of data from its web site (monetary penalty notice, 10th May 2011)

What can we learn about the ICO's specific expectations for organisations' online application compliance with the seventh data protection principle to protect against unauthorised and unlawful processing, accidental loss, destruction, and/or damage? The enforcement notices above suggest:

• There must be a policy for processing of personal data and staff must be made aware of it and given training which is monitored (Durham University)
• There must be a policy for the retention, storage and use of personal data and staff must be trained how to follow the policy (Brecon Beacons NPA)
• Publication of information must not contravene any relevant legislation regarding information disclosure (Brecon Beacons NPA)
• Some personal data (organisation dependent) must never be published on a website (Durham University)
• Access to personal data must require authentication and must have adequate authorisation checks (Brecon Beacons NPA, Toshiba, Dumfries and Galloway Council)
• Security of personal data must be considered when selecting suppliers of services (Andrew Jonathan Crossley/ACS Law)
• Third parties involved with developing/maintaining/operating web sites must be made aware of their requirements and responsibilities for protecting personal data (CEOP/SOCA)
• Contracts with third parties must define data protection responsibilities (CEOP/SOCA)
• There must be regular checks to ensure web sites remain secure, and any potential weaknesses must be identified very promptly (CEOP/SOCA)
• There must be measures in place, appropriate for the potential harm that could occur, to prevent accidental personal data loss (Andrew Jonathan Crossley/ACS Law)
• The risk to online systems must be re-assessed as threats change (Andrew Jonathan Crossley/ACS Law)
• Compliance with data protection and IT security policies must be verified and monitored (Durham University, Dumfries and Galloway Council)
• Expert advice must be sought when large amounts of personal data are being stored, processed or transmitted online (Andrew Jonathan Crossley/ACS Law)
• The findings of audits and security reviews must be assessed by management and implemented or the risk formerly accepted (Dumfries and Galloway Council, CEOP/SOCA)
• There must be technical measures to detect authorisation failures (Toshiba)

We can also draw additional expectations from the ICO's Data Sharing Code of Practice section on security. Those might be summarised as:

• Technical security measures must be appropriate for the system in use and the type of data held and processed (Data Sharing Code of Practice)
• When data encryption is used, it must be selected, implemented and managed appropriately (Data Sharing Code of Practice)
• The most common security risks must be identified (Data Sharing Code of Practice)
• There must be suitable access control (authentication, authorisation and session management) with appropriate assignment of privileges based on a "need-to-know" basis (Data Sharing Code of Practice)
• Information in transit must be protected (Data Sharing Code of Practice)

These are just my own interpretation and of course. They will not be all the ICO's expectations, but are the ones which we are now aware of. Additionally, data in online applications may also be exposed in related processes (often email, or transfers between systems, and during development, testing and operation where data may exist on paperwork, in mobile devices and in archives & backups). Examine the other enforcement notices for the ICO's expectations in these other channels.

If you want to keep up-to-date with application (and other) data loss incidents that subsequently lead to regulatory action in the UK (typically by the FSA or ICO), use Breach Watch. For further afield, the Web Hacking Incident Database (WHID).

The European Network and Information Security Agency (ENISA) has published a new guide on monitoring the security of cloud services throughout the project life-cycle.

Procure Secure: A Guide to Monitoring of Security Service Levels in Cloud Contracts defines an ongoing security monitoring framework comprised of:

• Service availability
• Incident response
• Service elasticity and load tolerance
• Data life-cycle management
• Technical compliance and vulnerability management
• Change management
• Data isolation
• Log management and forensics

The concept is to provide continuous cloud-specific service level metrics in-between one-off or periodic assessments (e.g. using information technology audit standards such as ISO 2700x, SSAE 16 or ISAE 3402). For each suggested monitoring parameter examples are provided to help guide what to measure, how to measure it, how to obtain independent measurements, alerting & reporting thresholds and customer responsibilities.

Although there is a focus on public procurement, the issues are equally relevant in the private sector. There is also a 9-page checklist guide to the document "if you have little time available".