As part of the OWASP EU Tour 2013, there will be a special event in London next month, along the lines of the recent ones in Cambridge and Leicester.

The one day conference is being held in central London on Monday 3rd of June 2013 at the Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY. The nearest tube station is Holborn. It is free to attend and is open to all, but registration is required as numbers are limited to 100.

The agenda is still being finalised, but OWASP Ireland chapter leader Fabio Cerullo is presenting PCIDSS for developers, OWASP Cambridge chapter leader Steven van der Baan will be talking about simple steps for secure coding, and OWASP London chapter leader Justin Clarke will be speaking about securing development with PMD, the popular Java code scanning tool. I will be introducing and demonstrating OWASP Cornucopia. A very developer-orientated agenda so far.

The EU Tour continues to OWASP chapters in Barcelona, Bucharest, Belgium, Denmark, Dublin, Lisbon, Netherlands and Rome. Other locations will be added in due course.

The current hot topic in the news is the revelation that horsemeat has contaminated the UK's food supply chain. This follows on from recent findings that suggest halal food supplied to some prison contained pork.

The outrage about eating horses and about retail products not containing ingredients other than those listed on the label has raised concerns about how the integrity of the food supply chain can be ensured. There is much more legislation around food standards (for example coffee and juice), and better labelling, but food appears to suffer from similar risks as the software supply chain.

Well there are usually no easy answers, but for once it seems the software assurance community is ahead of food standards. If you don't want unknown ingredients in acquired software code, take a look at:

• Notional Supply Chain Risk Management Practices for Federal Information Systems, NISTIR 722, Interagency Report, NIST, 2012
• Software Assurance in Acquisition and Contract Language, Software Assurance Pocket Guide Series, Software Assurance, US Department of Homeland Security, 2012
• Software Supply Chain Risk Management: From Products to Systems of Systems, Technical Note CMU/SEI-2010-TN-026, Software Engineering Institute, Carnegie Mellon University, 2010
• Evaluating and Mitigating Software Supply Chain Security Risks, Technical Note CMU/SEI-2010-TN-016, Software Engineering Institute, Carnegie Mellon University, 2010
• An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain, SAFECode, 2010
• Framework for Software Supply Chain Integrity, SAFECode, 2009
• Software Supply Chain Risk Management and Due Diligence, Software Assurance Pocket Guide Series, Software Assurance, US Department of Homeland Security, 2009

For some light relief on the horsemeat story, see the jokes here and here.

Twice this week I have referred people to a unique centralised resource of information topics about programming in Java.

John Melton spent a year of his life (no, actually more like a few hours a week for 52 weeks), writing blog posts in his series Year of Security for Java (introduction, conclusion and listing). I have worked with John on aspects of the OWASP AppSensor project, and had the pleasure to meet him in person during AppSec USA 2011 in Minneapolis.

If your company develops in Java, you should reference these in your intranet or development portal — John has created a PDF comprising all the Java security posts.

One of the best sources of application security information and news is the OWASP AppSec Moderated News Feed. It's a gold mine of material.

A nugget I have just caught up with is Jerry Hoff's announcement of a new OWASP project named Framework Security Matrix. The Matrix is a free spreadsheet which maps out which baseline security controls are available in common development platforms, languages and frameworks.

Knowing what is inherent, what can be selected optionally and what must be built by hand is extremely useful. We must thank the hard-working Jerry Hoff along with the project's other contributors John Melton, Harry Papaxenopoulos and Raymond LeBlanc.

Client-side, or local, storage is an area of concern for privacy and security. Therefore I was keen to attend the latest meeting of the London Web Performance Group titled HTML5 and Localstorage - Storage in the Browser at the Lamb Tavern (building c1780, but on the same site since 1309) in Leadenhall Market on Wednesday evening.

I almost changed my mind as I was also tempted to attend another local event on the same evening about NoSQL for Java Developers. Anyway I was very pleased I went to the client-side storage event, but it was so well-attended I almost did not have a seat. As usual, Stephen Thair (@TheOpsMgr) had done a great job organising the event.

Andrew Betts (@triblondon) described his experiences developing HTML5 applications for mobile devices, avoiding native code whenever possible, so that content could be available when the device is offline or in poor signal areas by using client-side storage. He described the pros and cons of using HTTP cookies, Indexed Database API (IndexedDB), Web SQL Database (WebSQL), local storage (key/value store) and Application Cache (or AppCache). Well the answer of which to use is "all of them". Andrew described how the FT.com application makes use of each type's advantages, to combine together into a responsive and network-robust application suitable for the most frequent and demanding of users. Therefore cookies are used for session management, AppCache for a default fallback page, local storage for static content such as HTML scaffolding, JavaScript and style sheets, and IndexedDB/WebSQL for the HTML content of pages. Thus they manage to fit the application into the HTML5 constraints imposed by different operating systems.

He explained many of the techniques used to circumvent mobile network and device-specific issues, but also explained how they managed to squeeze extra storage by compressing content as ASCII or base64 encoded data into JavaScript's UTF-16 double-byte encoding. It is a very clever piece of optimisation, which could also be used for code obfuscation. Details in the presentation slides.

I think users of client storage will have to be careful if it might be determined to be tracking technology. In the FT.com application case, this client storage is not offered to casual web site users, but only to those who have installed the app, are registered and log in. Thus there are opportunities to obtain consent, over and above any warning the device may offer. We are expecting to hear more about the ICO's plans for enforcement of the new regulations at a press conference this morning. Other HTML5 security issues are of course still a concern here. I was slightly troubled by one feature mentioned.

The presenter's slides are now available.

On Wednesday (25th April 2012) I attended Security B-Sides London, held at the rambling and inelegant Barbican Centre in central EC1, and which overlapped with the schedule for Infosec Europe way out on the west side of London.

I must say the two cinemas used for the day's presentations were most suitable, with good visibility, clear sound systems and comfortable seating. The organisers should be thanked for planning and executing such a great day. Every session I went to was of a high quality and in each I learned new things. I listened to Stephen Bonner talking about elegant security, Ian Maxted about social engineering, Thorn Langford about site-based risk assessments, Brian Honan on getting the security message across to senior management, Abraham Aranguren on exploratory web application testing and Sandro Gauchi on escalating privileges in web applications.

However, I'd like to focus on two mobile phone app related sessions by David Rook (aka Security Ninja). David is well known for his generous contributions to the application security community, especially his efforts to promote secure development principles, Agnitio the code review tool and Windows Phone App Analyser.

His presentation about Windows Phone 7 Platform and Application Security Overview was the only talk I actually took extensive notes at during the day. Following an introduction to Windows 7 place in the market and development using Visual Studio using the .Net compact framework, he discussed platform and application security in detail. Wonderful. It will save me days of research. I think he mentioned on Twitter, that the slides will be made available online shortly.

Mid-afternoon I attended his workshop on using his self-built software tool Agnitio, which helps arrange, track and monitor code review processes within development teams. The focus of the workshop was to walk through version 2.1 and especially the in-built code searching and examination functions. These can be used to help identify higher-risk functionality, or code which has to meet development guidelines, using a powerful extensible list of patterns cross-referenced to the code review checklist items. The tool has improved greatly since I last reviewed it in 2010, and I am looking forward to using it to develop custom checks for some of my clients. I was very impressed with its ability to decompile Android code and then run a standard set of tests against it.

Both Agnitio and Windows Phone App Analyser are free to download and use.

David Rook had won SC Magazines' Rising Star Award the previous evening. It was much deserved, and I must say reflects very well on Realex Payments who appear to be supportive of his activities to improve application security — and clearly not just within their own company, but for their customers, competitors and the wider market. I am sure many other companies would not be so enlightened.

Two of my posts last year concerning HTML5 security information sources appeared to be amongst the most popular entries on this blog. In October I mentioned three important well-maintained HTML5 Security resources, and in December an extensive Guide to HTML5 Security.

If you would prefer a slighter higher-level overview of the issues and types of attack, or need inspiration for your own security verification work, I would also recommend reading HTML5 Security - A Look at HTML5 Attack Scenarios by Robert McArdle (Trend Micro).

It is sometimes hard to find forward-looking resources about cross-site scripting (XSS).

Michal Zalewski has documented some thoughts in Postcards from the Post-XSS World inspired by his own work and by others. He describes how many XSS attacks attempt to exfiltrate data such as session cookies, alter the appearance of the targeted web site or perform state changes on behalf of the user. But where the theft of cookies is prevented by the use of the HttpOnly attribute, other common attacks are the extraction of personal data, anti-cross-site request forgery (CSRF) and capability-bearing URLs, and the alteration/destruction of legitimate content, delegation of account access, use of special privileges and propagation of attacker-supplied HTML markup.

Michal describes methods identified by himself and others that could still be able to perform XSS-like attacks even if a web site has deployed XSS defences such as using Content Security Policy.

If you are undertaking code review, security verification or penetration testing activities, this blog post is a must-read.

This evening I popped out to see the Kinetica Art Fair, an event I had been unable to attend in previous years.

The exhibition is very hands-on and displays kinetic, electronic, robotic, sound, light, time-based and multi-disciplinary new media art, science and technology. I thought I would share some of my photographs of some of the exhibits. Some were definitely weirder than others.

Many of the light-based exhibits were very beautiful, but these mechanised wings were perhaps my favourite item.

There were a few animated humanoid devices like these:

My Robot Companion above was meant to interact with you and use the camera mounted on its chest to project your own face onto the front of its head. Unfortunately, it seemed to have crashed, and was displaying a Microsoft Visual C++ runtime error and abort message (more legible from the inside of the "skull" as shown below).

I wonder if it was a memory leak? It seems we are perhaps still safe from being taken over and enslaved by highly intelligent robots, well at least not ones programmed by humans. Maybe they shouldn't have used a netbook.

Back to the text stuff tomorrow...

Further to my previous notes about HTML 5 security, a superb reference document was published earlier this month.

Michael Schmidt (Compass Security) wrote his master's thesis about HTML5 security in May 2011 and has published an extract for everyone to access.

HTML5 Web Security describes issues, vulnerabilities, threat & attack scenarios and countermeasures across 80 pages including numerous well thought-out diagrams, and is backed up with detailed references and an appendix full of attack details.

The main sections are:

• 2.2 Cross-origin resource sharing
• 2.3 Web storage
• 2.4 Offline web application
• 2.5 Web messaging
• 2.6 Custom scheme and content handlers
• 2.7 Web sockets API
• 2.8 Geolocation API
• 2.9 Implicit relevant features of HTML5
  Web workers, new elements, attributes and CSS, Iframe sandboxing and server-sent events

If you are already developing HTML, or planning to, read this document as soon as possible and update your requirements documents, specifications, design documents, coding standards, and test plans to incorporate the knowledge.

The document would be worth buying if it were a book, but it has generously been made available publicly. Yes, I am still reading the document, and so far have only one very minor complaint — it would be good to have a content list. Maybe in version 1.1?